Merge pull request #157 from Ostorlab/feature/cve-2024-11205

Add version detection for Wpforms plugin
Ostorlab · Dec 13, 2024 · ff0e617 · ff0e617
2 parents d245530 + 48ad0d0
commit ff0e617
Show file tree

Hide file tree

Showing 2 changed files with 139 additions and 0 deletions.
diff --git a/agent/exploits/cve_2024_11205.py b/agent/exploits/cve_2024_11205.py
@@ -0,0 +1,50 @@
+"""Agent Asteroid implementation for CVE-2024-11205"""
+
+import re
+
+from packaging import version
+
+from agent import definitions
+from agent import exploits_registry
+from agent.exploits import webexploit
+
+VERSION_PATTERN = re.compile(r"Stable tag:\s(\d+\.\d+(?:\.\d+)*)")
+MAX_VULNERABLE_VERSION = version.parse("1.9.2.1")
+MIN_VULNERABLE_VERSION = version.parse("1.8.4")
+VULNERABILITY_TITLE = (
+    "WPForms Lite Plugin 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated "
+    "(Subscriber+) Payment Refund and Subscription Cancellation"
+)
+VULNERABILITY_REFERENCE = "CVE-2024-11205"
+VULNERABILITY_DESCRIPTION = (
+    "The WPForms Lite plugin for WordPress is vulnerable to unauthorized modification "
+    "of data due to a missing capability check on the 'wpforms_is_admin_page' function "
+    "in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it "
+    "possible for authenticated attackers, with Subscriber-level access and above, to "
+    "refund payments and cancel subscriptions."
+)
+RISK_RATING = "HIGH"
+
+
+@exploits_registry.register
+class CVE202411205Exploit(webexploit.WebExploit):
+    accept_request = definitions.Request(
+        method="GET", path="/wp-content/plugins/wpforms-lite/readme.txt"
+    )
+    check_request = definitions.Request(
+        method="GET", path="/wp-content/plugins/wpforms-lite/readme.txt"
+    )
+    accept_pattern = [
+        re.compile("Contact Form by WPForms - Drag & Drop Form Builder for WordPress")
+    ]
+    version_pattern = VERSION_PATTERN
+    vuln_ranges = [
+        definitions.VulnRange(MIN_VULNERABLE_VERSION, MAX_VULNERABLE_VERSION)
+    ]
+
+    metadata = definitions.VulnerabilityMetadata(
+        title=VULNERABILITY_TITLE,
+        description=VULNERABILITY_DESCRIPTION,
+        reference=VULNERABILITY_REFERENCE,
+        risk_rating=RISK_RATING,
+    )
diff --git a/tests/exploits/cve_2024_11205_test.py b/tests/exploits/cve_2024_11205_test.py
@@ -0,0 +1,89 @@
+"""Unit tests for Agent Asteroid: CVE-2024-11205"""
+
+import requests_mock as req_mock
+from ostorlab.agent.mixins import agent_report_vulnerability_mixin as vuln_mixin
+
+from agent import definitions
+from agent.exploits import cve_2024_11205
+
+
+def testCVE202411205_whenVulnerable_reportFinding(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """CVE-2024-11205 unit test: case when target is vulnerable."""
+    requests_mock.get(
+        "http://localhost:80/wp-content/plugins/wpforms-lite/readme.txt",
+        text="""
+        === Contact Form by WPForms - Drag & Drop Form Builder for WordPress ===
+        Contributors: wpforms
+        Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FMKC2SLPTULP8
+        Requires at least: 5.0
+        Tested up to: 5.8
+        Requires PHP: 7.0
+        Stable tag: 1.8.4
+        """,
+        status_code=200,
+    )
+    exploit_instance = cve_2024_11205.CVE202411205Exploit()
+    target = definitions.Target("http", "localhost", 80)
+
+    accept = exploit_instance.accept(target)
+    vulnerabilities = exploit_instance.check(target)
+
+    assert accept is True
+    assert len(vulnerabilities) > 0
+    vulnerability = vulnerabilities[0]
+    assert (
+        vulnerability.entry.title
+        == "WPForms Lite Plugin 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation"
+    )
+    assert vulnerability.technical_detail == (
+        "http://localhost:80 is vulnerable to CVE-2024-11205, WPForms Lite Plugin 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation"
+    )
+    assert vulnerability.risk_rating == vuln_mixin.RiskRating.HIGH
+
+
+def testCVE202411205_whenSafe_reportNothing(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """CVE-2024-11205 unit test: case when target is safe."""
+    exploit_instance = cve_2024_11205.CVE202411205Exploit()
+    requests_mock.get(
+        "http://localhost:80/wp-content/plugins/wpforms-lite/readme.txt",
+        text="""
+            === Contact Form by WPForms - Drag & Drop Form Builder for WordPress ===
+            Contributors: wpforms
+            Donate link: https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FMKC2SLPTULP8
+            Requires at least: 5.0
+            Tested up to: 5.8
+            Requires PHP: 7.0
+            Stable tag: 1.9.2.2
+            """,
+        status_code=200,
+    )
+    target = definitions.Target("http", "localhost", 80)
+
+    accept = exploit_instance.accept(target)
+    vulnerabilities = exploit_instance.check(target)
+
+    assert accept is True
+    assert len(vulnerabilities) == 0
+
+
+def testCVE202411205_whenTargetNotWPFormsLite_reportNothing(
+    requests_mock: req_mock.mocker.Mocker,
+) -> None:
+    """CVE-2024-11205 unit test: case when target is not WPForms Lite."""
+    exploit_instance = cve_2024_11205.CVE202411205Exploit()
+    requests_mock.get(
+        "http://localhost:80/wp-content/plugins/wpforms-lite/readme.txt",
+        text="""Not Found""",
+        status_code=404,
+    )
+    target = definitions.Target("http", "localhost", 80)
+
+    accept = exploit_instance.accept(target)
+    vulnerabilities = exploit_instance.check(target)
+
+    assert accept is False
+    assert len(vulnerabilities) == 0