forked from adysec/nuclei_poc
-
Notifications
You must be signed in to change notification settings - Fork 0
/
blogvault-real-time-backup-77b677151a40237ae58691d865e46625.yaml
59 lines (52 loc) · 1.97 KB
/
blogvault-real-time-backup-77b677151a40237ae58691d865e46625.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
id: blogvault-real-time-backup-77b677151a40237ae58691d865e46625
info:
name: >
BlogVault WordPress Backup Plugin 1.40 - 1.44 - Unauthenticated PHP Object Injection
author: topscoder
severity: critical
description: >
The BlogVault WordPress Backup Plugin for WordPress is vulnerable to PHP Object Injection in versions 1.40 - 1.44 via deserialization of untrusted input in the vulnerable function processApiRequest. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
reference:
- https://github.com/topscoder/nuclei-wordfence-cve
- https://www.wordfence.com/threat-intel/vulnerabilities/id/01139cbd-1116-4cf8-bdcb-cb182588d093?source=api-prod
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
cvss-score: 8.3
cve-id:
metadata:
fofa-query: "wp-content/plugins/blogvault-real-time-backup/"
google-query: inurl:"/wp-content/plugins/blogvault-real-time-backup/"
shodan-query: 'vuln:'
tags: cve,wordpress,wp-plugin,blogvault-real-time-backup,critical
http:
- method: GET
redirects: true
max-redirects: 3
path:
- "{{BaseURL}}/wp-content/plugins/blogvault-real-time-backup/readme.txt"
extractors:
- type: regex
name: version
part: body
group: 1
internal: true
regex:
- "(?mi)Stable tag: ([0-9.]+)"
- type: regex
name: version
part: body
group: 1
regex:
- "(?mi)Stable tag: ([0-9.]+)"
matchers-condition: and
matchers:
- type: status
status:
- 200
- type: word
words:
- "blogvault-real-time-backup"
part: body
- type: dsl
dsl:
- compare_versions(version, '>= 1.40', '<= 1.44')