CVE-2020-20627 PoC — WordPress 访问控制错误漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-20627.yaml

Associated Vulnerability

Title:WordPress 访问控制错误漏洞 (CVE-2020-20627)
Description:WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。Give是使用在其中的一个筹款平台插件。htaccess是使用在其中的一个访问控制插件。relevant是使用在其中的一个相关内容显示插件。File Upload是使用在其中的一个文件上传插件。 WordPress 插件GiveWP中的admin-actions.php从2.5.9版本开始存在安全漏洞，该漏洞源于可以对未经验证的设置更改。

Description

GiveWP plugin through 2.5.9 for WordPress contains an unauthenticated settings change caused by insecure access in includes/gateways/stripe/includes/admin/admin-actions.php, letting attackers modify settings without authentication, exploit requires no authentication.

File Snapshot


 id: CVE-2020-20627

info:
  name: GiveWP - Missing Authorization to Settings Update
  author: daffai

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!