CVE-2024-50498 is a security vulnerability found in the WP Query Console WordPress plugin.

Local IP: 172.25.200.200

Port: 9043

The Flag is in /flag/flag.txt

Want to run the challenge container locally?

docker run -d -p 9043:80 --restart always joshbeck2024/ctf-cve-2024-50498-wpquery-flag-red63

Vulnerability Summary: (We’ll look at the code in this lab as well.)

• The plugin registers a REST API endpoint that users can browse to.
  • If you want to interact with a computer or system to retrieve information or perform a function, an API allows your computer to make requests that you might otherwise perform manually, such as uploading files or retrieving/editing content.
• The API endpoint definition is missing what WordPress calls a permission_callback.
  • Note: WordPress defaults to public access if this permission_callback is missing. This oversight allows any unauthenticated user on the internet to send requests to the endpoint
• The endpoint is supposed to accept a POST parameter that contains information like 'author' => 1 so database queries can be tested.
  • This endpoint passes the value contained in the queryArgs POST parameter directly to the PHP eval() function
• The Problem:
  • Because eval() executes any PHP code passed to it; attackers can inject system commands that the server executes immediately.

Detection:

• This one, as far as I can tell, requires a manual check to determine whether the target may be vulnerable.

Detection Option 1: (Super Lame)

• Test the target by making a manual request:

http://IP_OF_TARGET/wp-json/wqc/v1/query

If a query error is returned, the target may be vulnerable.

Detection Option 2: Nuclei!

• One of the gold standard detection technologies is a program called nuclei.