create 'wp_plugin_cve_2023_47668_vuln'

OWASP · Feb 28, 2025 · 164e112 · 164e112
1 parent 65192c8
commit 164e112
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 0 deletions.
diff --git a/docs/Modules.md b/docs/Modules.md
@@ -159,6 +159,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke
 * '**ssl_version_vuln**' - check if the server's SSL configuration supports old and insecure SSL versions
 * '**ssl_weak_cipher_vuln**' - check if server's SSL configuration supports weak cipher suites
 * '**wordpress_dos_cve_2018_6389_vuln**' - check if Wordpress is vulnerable to CVE-2018-6389 Denial Of Service (DOS) 
+* '**wp_plugin_cve_2023_47668_vuln**' - check the target for CVE-2023-47668 
 * '**wp_xmlrpc_bruteforce_vuln**' - check if Wordpress is vulnerable to credential Brute Force via XMLRPC wp.getUsersBlogs
 * '**wp_xmlrpc_pingback_vuln**' - check if Wordpress is vulnerable to XMLRPC pingback 
 * '**x_powered_by_vuln**' - check if the web server is leaking server configuration in 'X-Powered-By' response header

diff --git a/nettacker/modules/vuln/wp_plugin_cve_2023_47668.yaml b/nettacker/modules/vuln/wp_plugin_cve_2023_47668.yaml
@@ -0,0 +1,55 @@
+info:
+  name: wp_plugin_cve_2023_47668_vuln
+  author: Manushya-a
+  severity: 5.3
+  description: The Membership Plugin Restrict Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.7 via the legacy log file. This makes it possible for unauthenticated attackers to extract sensitive data including debug information.
+  references: 
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-47668
+    - https://wpscan.com/vulnerability/b7e164be-6b22-42dc-a43f-229a482f463d/
+
+  profiles:
+    - vuln
+    - vulnerability
+    - http
+    - medium_severity
+    - wordpress
+    - wp
+    - Membership_Plugin_Restrict_Content
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+          Accept-Language: en-US
+          Content-Type: text/plain
+          Accept: text/html
+          Accept-Encoding: gzip, deflate, br
+          Connection: keep-alive
+
+        allow_redirects: true
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/wp-content/uploads/rcp-debug.log"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            content:
+              regex: "wp_rcp_discounts"
+              reverse: false