Привет,
Кто-нибудь видел информацию об этом CVE. Я не могу найти ни кода, ни подробностей о нем
Спасибо
Кто-нибудь видел информацию об этом CVE. Я не могу найти ни кода, ни подробностей о нем
Спасибо
-
XSS.stack #1 – первый литературный журнал от юзеров форума
CVE-2024-5057 Easy Digital Downloads
- Автор темы самогон
- Дата начала
Hi there
As i cant found valid POC for this vulnerability , i try to found out some more information based on what was patched in secured version
based on my observation , i think what is most look like the vuln code for this vulnerability is on this file : [pluginname]/src/Downloads/Search.php
in vuln version :
in patched version :
as you see the vuln version didnt use wp->prepare() before patched . so maybe the vulnerability is under this part
test your payload to past esc_like and inject your payload on terms for search.
sorry im not in good health mode to reproduce full poc here
maybe this will help you to inject your target
As i cant found valid POC for this vulnerability , i try to found out some more information based on what was patched in secured version
based on my observation , i think what is most look like the vuln code for this vulnerability is on this file : [pluginname]/src/Downloads/Search.php
in vuln version :
PHP:
public function filter_where( $where, $wp_query ) {
$search = $wp_query->get( 'edd_search' );
if ( ! $search ) {
return $where;
}
$terms = $this->parse_search_terms( $search );
if ( empty( $terms ) ) {
return $where;
}
global $wpdb;
$query = '';
foreach ( $terms as $term ) {
$operator = empty( $query ) ? '' : ' AND ';
$term = $wpdb->esc_like( $term );
$query .= "{$operator}{$wpdb->posts}.post_title LIKE '%{$term}%'";
}
if ( $query ) {
$where .= " AND ({$query})";
}
return $where;
}in patched version :
PHP:
public function filter_where( $where, $wp_query ) {
$search = $wp_query->get( 'edd_search' );
if ( ! $search ) {
return $where;
}
$terms = $this->parse_search_terms( $search );
if ( empty( $terms ) ) {
return $where;
}
global $wpdb;
$query = '';
foreach ( $terms as $term ) {
$operator = empty( $query ) ? '' : ' AND ';
$term = '%' . $wpdb->esc_like( wp_unslash( $term ) ) . '%';
$query .= $wpdb->prepare( "{$operator}{$wpdb->posts}.post_title LIKE %s", $term );
}
if ( $query ) {
$where .= " AND ({$query})";
}
return $where;
}as you see the vuln version didnt use wp->prepare() before patched . so maybe the vulnerability is under this part
test your payload to past esc_like and inject your payload on terms for search.
sorry im not in good health mode to reproduce full poc here
maybe this will help you to inject your target
- Автор темы
- Добавить закладку
- #3
Thank you. This is a good start !