id: CVE-2023-6933

info:
  name: Better Search Replace < 1.4.5 - PHP Object Injection
  author: pussycat0x
  severity: critical
  description: |
    The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
  impact: |
    Attackers can execute arbitrary code, delete files, or retrieve sensitive data on the server.
  remediation: Update to the latest version of the plugin, version 1.4.5 or later.
  reference:
    - https://posimyth.ticksy.com/ticket/2713734/
    - https://www.wordfence.com/blog/2021/03/critical-0-day-in-the-plus-addons-for-elementor-allows-site-takeover/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-6933
    cwe-id: CWE-502
    epss-score: 0.9303
    epss-percentile: 0.99792
    cpe: cpe:2.3:a:wpengine:better_search_replace:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    fofa-query: body="/wp-content/plugins/better-search-replace/"
    max-request: 1
    vendor: wpengine
    product: better_search_replace
    framework: wordpress
  tags: cve,cve2023,wordpress,wp-plugin,wp,wpscan,better-search-replace,passive,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-content/plugins/better-search-replace/README.txt"
      - "{{BaseURL}}/wp-content/plugins/better-search-replace/readme.txt"

    stop-at-first-match: true

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains(body, 'Better Search')"
          - "compare_versions(version, '< 1.4.5')"
        condition: and

    extractors:
      - type: regex
        part: body
        group: 1
        name: version
        regex:
          - 'Stable tag: ([0-9.]+)'
# digest: 4a0a00473045022047d6e2d6f1b39bbeb22c52f0841d8ffd30d1b3c55ccfdfc9d45d7960c11a8369022100d42e10823451d2f7dac59eb5c5cfd33fe39b1221adb635bd45ef1e1f9d25b819:922c64590222798bb761d5b6d8e72950