CVE-2024-43160
published 2024-08-13CVE-2024-43160: Unrestricted Upload of File with Dangerous Type vulnerability in BerqWP allows Code Injection.This issue affects BerqWP: from n/a through 1.7.6.
PriorityP274critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
4.62%
90.5th percentile
Unrestricted Upload of File with Dangerous Type vulnerability in BerqWP allows Code Injection.This issue affects BerqWP: from n/a through 1.7.6.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| berqwp | berqwp | n/a – 1.7.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/wp-json/optifer/v1/store-webp
commandimage="{{base64(num)}}"&url={{filename}}.txt&license_key_hash=d41d8cd98f00b204e9800998ecf8427e
- →Detect unauthenticated POST requests to /wp-json/optifer/v1/store-webp with a Content-Type of application/x-www-form-urlencoded; this endpoint accepts arbitrary file uploads without authentication or file type validation.
- →The exploit payload uses the parameter `license_key_hash` set to the MD5 hash of an empty string (d41d8cd98f00b204e9800998ecf8427e); monitor POST bodies to the store-webp endpoint for this specific hash value as a strong exploitation indicator.
- →Fingerprint vulnerable installations by checking for the presence of /wp-content/plugins/searchpro in page source; this path is used as the initial probe step before exploitation.
- →After a successful upload, the attacker retrieves the uploaded file via a GET request to the web root; monitor for GET requests to recently uploaded non-image files (e.g., .txt, .php) in the WordPress web root that were preceded by a POST to /wp-json/optifer/v1/store-webp.
- →The vulnerability is unauthenticated (no credentials or nonce required); any POST to /wp-json/optifer/v1/store-webp from an unauthenticated session should be treated as suspicious and investigated. ↗
- ·The vulnerable endpoint path differs between the plugin's internal PHP file (/api/store_webp.php) and the exposed WordPress REST API route (/wp-json/optifer/v1/store-webp); detections should cover both paths as the REST route is the externally reachable attack surface. ↗
- ·The exploit is confirmed for BerqWP versions up to and including 1.7.6; version 1.7.7 and later are remediated. Ensure version-based detection rules account for this boundary. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
BerqWP <= 1.7.6 - Arbitrary File Upload
nuclei·CVSS 10.0
CVE-2024-43160 [CRITICAL] BerqWP <= 1.7.6 - Arbitrary File Upload
BerqWP <= 1.7.6 - Arbitrary File Upload
The BerqWP Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /api/store_webp.php file in all versions up to, and including, 1.7.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Template:
id: CVE-2024-43160
info:
name: BerqWP <= 1.7.6 - Arbitrary File Upload
author: s4e-io
severity: critical
description: |
The BerqWP Automated All-In-One PageSpeed Optimization Plugin for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary fi
No writeups or analysis indexed.
2024-08-13
Published