CVE-2020-36333 PoC — WordPress 插件访问控制错误漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-36333.yaml

Associated Vulnerability

Title:WordPress 插件访问控制错误漏洞 (CVE-2020-36333)
Description:WordPress 插件是WordPress开源的一个应用插件。 WordPress 插件 themegrill-demo-importer 1.6.3之前版本存在访问控制错误漏洞，该漏洞源于清除数据库时不需要身份验证。

Description

ThemeGrill Demo Importer before 1.6.2 does not require authentication for wiping the database due to a reset_wizard_actions hook. In versions 1.3.4 and above and versions 1.6.1 and below, there is a vulnerability that allows any unauthenticated user to wipe the entire database to its default state after which they are automatically logged in as an administrator.

File Snapshot


 id: CVE-2020-36333

info:
  name: ThemeGrill Demo Importer < 1.6.2 - Database Reset
  author: iamnoo

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!