Attacker Value

Very High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

CVE-2020-24186

Disclosure Date: August 24, 2020 •

CVE-2020-24186 CVSS v3 Base Score: 10.0

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Initial Access

Techniques

Validation

Exploit Public-Facing Application

Validated

Metasploit Module

exploit/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload

Description

A Remote Code Execution vulnerability exists in the gVectors wpDiscuz plugin 7.0 through 7.0.4 for WordPress, which allows unauthenticated users to upload any type of file, including PHP files via the wmuUploadFiles AJAX action.

Add Assessment

noraj (102)

June 25, 2021 8:12am UTC (2 years ago)•Edited 2 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Unauthenticated Vulnerable in uncommon configuration

Technical Analysis

This plugin is not that commonly deployed on Wordpress installations and to detected it you need the aggressive plugin mode of Wpscan enabled else wpDiscuz won’t be even detected.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

10.0 Critical

Impact Score:

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Changed

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

gvectors

Products

wpdiscuz

Metasploit Modules

exploit/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_wpdiscuz_unauthenticated_file_upload.rb)

References

Canonical

CVE-2020-24186 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24186)

Exploit

The following exploit POCs have not been verified by Rapid7 researchers, but are sourced from: nomi-sec/PoC-in-GitHub.
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.

Original metasploit module (https://github.com/hoanx-2146/wpDiscuz_unauthenticated_arbitrary_file_upload)

Miscellaneous

https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin

https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/

http://packetstormsecurity.com/files/162983/WordPress-wpDiscuz-7.0.4-Shell-Upload.html

http://packetstormsecurity.com/files/163012/WordPress-wpDiscuz-7.0.4-Remote-Code-Execution.html

http://packetstormsecurity.com/files/163302/WordPress-wpDiscuz-7.0.4-Shell-Upload.html

Rapid7

Very High

CVE-2020-24186

Very High

Very High

None

None

Network

CVE-2020-24186

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Very High

CVE-2020-24186

Very High

Very High

None

None

Network

CVE-2020-24186

Description

Add Assessment

Ratings

Technical Analysis

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Exploit

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification