关联漏洞
标题:WordPress plugin Top Store 安全漏洞 (CVE-2024-10673)Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin Top Store 1.5.4版本及之前版本存在安全漏洞,该漏洞源于缺少对top_store_install_and_activate_callback函数的功能检查。攻击者利用该漏洞可以提升权限并获得远程代码执行。
Description
Top Store <= 1.5.4 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
介绍
## 🔥 Overview
This script exploits **CVE-2024-10673**, a critical vulnerability found in the **Top Store WordPress Theme (<= 1.5.4)**. The flaw allows **authenticated users with subscriber-level access or higher** to install and activate arbitrary plugins via unprotected AJAX requests.
## ⚠️ Severity & Impact
- **Unauthenticated Plugin Installation**: Attackers with **subscriber privileges** can install plugins without admin approval.
- **Remote Code Execution (RCE) Possibility**: If a malicious plugin is installed, attackers may execute arbitrary code.
- **Privilege Escalation**: Attackers can install plugins that grant them administrative access.
## 🛠️ Features of This Exploit
- **Automates the attack** by extracting the required `nonce` dynamically.
- **Allows plugin selection** (users can specify which plugin to install and activate).
- **Supports JSON-formatted responses** for structured logging.
- **Handles errors gracefully**, ensuring robust execution.
## ⚡ How the Exploit Works
1. **Login to WordPress** using valid credentials.
2. **Extract the AJAX nonce** from `themes.php?page=thunk_started`.
3. **Send an AJAX request to install a plugin** (default: `hunk-companion` or user-defined plugin).
4. **Send another request to activate the plugin.**
5. **Output JSON responses** indicating success or failure.
## 🚀 Usage
```bash
usage: u.py [-h] -u URL -un USERNAME -p PASSWORD [-pl PLUGIN]
Exploit CVE-2024-10673 - WordPress Plugin Installation & Activation by : # By Nxploit | Khaled Alenazi
options:
-h, --help show this help message and exit
-u URL, --url URL Target WordPress URL (e.g., http://192.168.100.74:888/wordpress)
-un USERNAME, --username USERNAME
WordPress Username
-p PASSWORD, --password PASSWORD
WordPress Password
-pl PLUGIN, --plugin PLUGIN
Plugin slug to install and activate (default: hunk-companion)
```
### Examples
- **Install and activate the default plugin (`hunk-companion`)**:
```bash
python exploit.py -u http://192.168.100.74:888/wordpress -un admin -p admin
```
- **Install and activate a specific plugin (`woocommerce`)**:
```bash
python CVE-2024-10673.py -u http://192.168.100.74:888/wordpress -un admin -p admin -pl woocommerce
```
## 📝 Expected Output
```json
{"Logged in successfully"}
{"Fetching nonce value..."}
{"Nonce extracted": "abc123"}
{"Installing plugin: woocommerce..."}
{"Plugin woocommerce installed successfully"}
{"Activating plugin: woocommerce..."}
{"Plugin woocommerce activated successfully"}
{"Exploit completed successfully!"}
```
## 🔒 Mitigation
To secure your WordPress site:
- **Update to a patched version** of the Top Store theme.
- **Restrict subscriber permissions** to prevent unnecessary access.
- **Monitor installed plugins** for unauthorized changes.
- **Disable plugin installation** for non-administrators.
## ⚠️ Disclaimer
**This script is for educational and security research purposes only.** Unauthorized use against systems you do not own or have explicit permission to test is illegal. Use responsibly!
*By: Khaled Alenazi (Nxploit)*
文件快照
[4.0K] /data/pocs/dd4d3a3eb4be1d138c0b4fc88b4487c034c4556a
├── [6.2K] CVE-2024-10673.py
└── [3.1K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。