create 'wp_plugin_cve_2023_47668_vuln' (#1029)

* create 'wp_plugin_cve_2023_47668_vuln' * Update wp_plugin_cve_2023_47668.yaml
OWASP · Mar 2, 2025 · 71ea8a7 · 71ea8a7
1 parent 65192c8
commit 71ea8a7
Show file tree

Hide file tree

Showing 2 changed files with 55 additions and 0 deletions.
diff --git a/docs/Modules.md b/docs/Modules.md
@@ -159,6 +159,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke
 * '**ssl_version_vuln**' - check if the server's SSL configuration supports old and insecure SSL versions
 * '**ssl_weak_cipher_vuln**' - check if server's SSL configuration supports weak cipher suites
 * '**wordpress_dos_cve_2018_6389_vuln**' - check if Wordpress is vulnerable to CVE-2018-6389 Denial Of Service (DOS) 
+* '**wp_plugin_cve_2023_47668_vuln**' - check the target for CVE-2023-47668 
 * '**wp_xmlrpc_bruteforce_vuln**' - check if Wordpress is vulnerable to credential Brute Force via XMLRPC wp.getUsersBlogs
 * '**wp_xmlrpc_pingback_vuln**' - check if Wordpress is vulnerable to XMLRPC pingback 
 * '**x_powered_by_vuln**' - check if the web server is leaking server configuration in 'X-Powered-By' response header

diff --git a/nettacker/modules/vuln/wp_plugin_cve_2023_47668.yaml b/nettacker/modules/vuln/wp_plugin_cve_2023_47668.yaml
@@ -0,0 +1,54 @@
+info:
+  name: wp_plugin_cve_2023_47668_vuln
+  author: Manushya-a
+  severity: 5.3
+  description: The Membership Plugin Restrict Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.7 via the legacy log file. This makes it possible for unauthenticated attackers to extract sensitive data including debug information.
+  references: 
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-47668
+    - https://wpscan.com/vulnerability/b7e164be-6b22-42dc-a43f-229a482f463d/
+
+  profiles:
+    - vuln
+    - vulnerability
+    - http
+    - medium_severity
+    - wordpress
+    - wp
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          User-Agent: "{user_agent}"
+          Accept-Language: en-US
+          Content-Type: text/plain
+          Accept: text/html
+          Accept-Encoding: gzip, deflate, br
+          Connection: keep-alive
+
+        allow_redirects: true
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/wp-content/uploads/rcp-debug.log"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              schema:
+                - "http"
+                - "https"
+              ports:
+                - 80
+                - 443
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            content:
+              regex: "wp_rcp_discounts"
+              reverse: false