关联漏洞
标题:WordPress Plugin GP Unique ID 安全漏洞 (CVE-2024-0710)Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin GP Unique ID 1.5.5 及之前版本存在安全漏洞,该漏洞源于输入验证不足,攻击者利用该漏洞可能篡改表单提交时唯一 ID 的生成。
Description
Unauthenticated Form Submission Unique ID Modification
介绍
# CVE-2024-0710
- Vulnerability: [CVE-2024-0710](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gp-unique-id/gp-unique-id-155-unauthenticated-form-submission-unique-id-modification) (Unauthenticated Form Submission Unique ID Modification)
- CVSS: 5.3 (Medium)
- Software: GP Unique ID (gp-unique-id)
- Affected versions: <= 1.5.5
- Patched version: 1.5.6
- Developer: Gravity Wiz
- Researcher: Karl Emil Nikka, Nikka Systems
- Publicly published: 2024-04-10
- Last updated: 2024-04-18
## Overview
An unauthenticated form submitter can choose a custom value for a field that is supposed to always have a random or sequential value. This vulnerability only affects sites where the value must be either random or sequential for legal, functional or security reasons.
## Background
GP Unique ID is an addon for Gravity Forms. It assigns unique IDs to entries after successful submission. In contrast to the entries’ actual database IDs, the GP Unique IDs, hereafter called GPUIDs, can be customized by the form creator to follow a specific syntax with defined starting number, character set, length, prefix, and suffix. The GPUID is stored in a custom Gravity Forms entry field. The field is hidden on the frontend.
The plugin developer lists the following common use cases for GP Unique ID.
- Provide a set-length confirmation or reference number for each entry.
- Maintain a sequential invoice number.
- Generate a unique coupon code that can be used on subsequent form submissions.
- Generate a unique number for use in raffles.
## The vulnerability
GP Unique ID assigns the GPUID after the form has been successfully submitted, but only as long as there isn’t a value in the field already. This allows a form submitter to set a custom GPUID when submitting the form. Since the field isn’t empty, no real GPUID gets stored. A visitor can therefore
- set a GPUID that doesn’t follow the syntax
- set GPUID that isn’t sequential
- set a GPUID that isn’t random
- set a GPUID that already is assigned to another entry.
## Patches
Gravity Wiz released a patched version of the plugin on 2024-04-09. Site administrators should update to the patched version (1.5.6) and, if relevant, make sure the previous submissions haven’t been tampered with.
- 2024-01-13 I reported the vulnerability to Gravity Wiz (according to Project Zero’s 90-day responsible disclosure policy).
- 2024-01-13 I submitted the vulnerability to Wordfence’s CNA. I declined participating in their bug-bounty program.
- 2024-01-15 Gravity Wiz confirmed they had received the report.
- 2024-01-16 Gravity Wiz acknowledged the vulnerability and told me they would release a patch for it.
- 2024-01-19 Wordfence assigned the vulnerability CVE ID CVE-2024-0710.
- 2024-02-29 I sent a 45-day reminder to Gravity Wiz.
- 2024-04-01 I sent a reminder that the 90-day responsible disclosure window would end in two weeks.
- 2024-04-07 Gravity Wiz sent me a pre-release version of the patched plugin.
- 2024-04-09 Gravity Wiz released the patched plugin, 87 days after initial report (within the 90-day responsible disclosure window).
文件快照
[4.0K] /data/pocs/2513d8dfdd443c98dfe4b2a59337595ed8b7f8fb
└── [3.1K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。