nuclei-templates/http/cves/2022/CVE-2022-2551.yaml

56 lines
2.0 KiB
YAML

id: CVE-2022-2551
info:
name: WordPress Duplicator <1.4.7 - Authentication Bypass
author: LRTK-CODER
severity: high
description: |
WordPress Duplicator plugin before 1.4.7 is susceptible to authentication bypass. The plugin discloses the URL of the backup to unauthenticated visitors accessing the main installer endpoint. If the installer script has been run once by an administrator, this allows download of the full site backup without proper authentication.
remediation: Fixed in version 1.4.7.1.
reference:
- https://wpscan.com/vulnerability/f27d753e-861a-4d8d-9b9a-6c99a8a7ebe0
- https://wordpress.org/plugins/duplicator/
- https://github.com/SecuriTrust/CVEsLab/tree/main/CVE-2022-2551
- https://nvd.nist.gov/vuln/detail/CVE-2022-2551
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2022-2551
cwe-id: CWE-425
epss-score: 0.79836
epss-percentile: 0.9798
cpe: cpe:2.3:a:snapcreek:duplicator:*:*:*:*:lite:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: snapcreek
product: duplicator
framework: wordpress
google-query: inurl:/backups-dup-lite/dup-installer/
tags: cve2022,wordpress,wp,wp-plugin,duplicator,wpscan,cve
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/backups-dup-lite/dup-installer/main.installer.php?is_daws=1"
- "{{BaseURL}}/wp-content/dup-installer/main.installer.php?is_daws=1"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "<a href='../installer.php'>restart this install process</a>"
condition: and
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4b0a00483046022100ee247edbff82af8c84a78a00636f78801d04e12cf74a639ae9b3474337900c1b022100ee8ddf28808cfe33a8b1fda052df4865f78d7f0795b5f5d8b0aa4ebf31b02c30:922c64590222798bb761d5b6d8e72950