CVE-2021-4374 PoC — WordPress Automatic Plugin <= 3.53.2 - Unauthenticated Arbitrary Options Update

Readme

# CVE-2021-4374 Testing Environment

Docker-based testing environment for validating the Nuclei template detecting **CVE-2021-4374** (WordPress Automatic Plugin - Broken Access Control vulnerability).

## Overview

This repository provides a complete, reproducible testing environment for security researchers and template developers to validate the CVE-2021-4374 Nuclei template against a real vulnerable WordPress installation.

### Vulnerability Details

- **CVE ID:** CVE-2021-4374
- **Plugin:** WP Automatic ≤ 3.53.2
- **Severity:** Critical (CVSS 9.8)
- **Type:** Broken Access Control (CWE-862)
- **Impact:** Unauthenticated attackers can modify arbitrary WordPress options

## Features

✅ **Real Environment** - Actual WordPress + vulnerable plugin (not mock)  
✅ **Isolated** - Docker containers for safe testing  
✅ **Reproducible** - Consistent environment across systems  
✅ **Documented** - Complete test outputs and validation  
✅ **Fast Setup** - One command to start

## Quick Start

### Prerequisites

- Docker (v20.10+)
- Docker Compose (v1.29+ or v2.x)
- Nuclei (latest version)

### Setup

1. **Clone the repository**
   ```bash
   git clone <your-repo-url>
   cd CVE-2021-4374-Testing-Package
   ```

2. **Start the environment**
   ```bash
   ./start.sh
   ```
   
   This will:
   - Start WordPress 5.8 with MySQL 5.7
   - Install and activate WP Automatic plugin v3.53.2
   - Configure everything automatically

3. **Test the template**
   ```bash
   nuclei -t <path-to-template>/CVE-2021-4374.yaml -u http://localhost:8080 -v
   ```

## Usage

### Basic Commands

```bash
# Start environment
./start.sh

# Stop environment (preserve data)
./stop.sh

# Stop and remove all data
docker compose down -v

# View logs
docker compose logs -f wordpress

# Quick command reference
./QUICK-COMMANDS.sh
```

### WordPress Access

- **URL:** http://localhost:8080/wp-admin
- **Username:** admin
- **Password:** NucleiTest2025!

### Testing Commands

```bash
# Validate template
nuclei -t CVE-2021-4374.yaml -validate

# Test for vulnerability
nuclei -t CVE-2021-4374.yaml -u http://localhost:8080 -v

# Debug mode (see full request/response)
nuclei -t CVE-2021-4374.yaml -u http://localhost:8080 -debug

# False positive test
nuclei -t CVE-2021-4374.yaml -u https://example.com -v

# Manual verification
curl -X POST http://localhost:8080/wp-content/plugins/wp-automatic/process_form.php \
  -d "action=update_settings&wp_automatic_option=test"
```

## Test Results

See **[output.md](output.md)** for complete test outputs including:
- Template validation results
- Vulnerability detection (TRUE POSITIVE)
- Debug mode with full HTTP request/response
- False positive tests
- Manual verification
- Environment status

**Summary:**
- ✅ Vulnerability detected successfully
- ✅ No false positives
- ✅ Performance: ~21ms per scan
- ✅ All tests passed

## Architecture

```
CVE-2021-4374-Testing-Package/
├── README.md                 # This file
├── output.md                 # Complete test outputs
├── docker-compose.yml        # Docker configuration
├── start.sh                  # Environment startup script
├── stop.sh                   # Environment shutdown script
├── QUICK-COMMANDS.sh         # Command reference
├── SETUP-INSTRUCTIONS.md     # Detailed setup guide
└── vulnerable-plugin/        # WP Automatic plugin
    └── wp-automatic/
        ├── wp-automatic.php     # Plugin main file
        ├── process_form.php     # Vulnerable file (CVE-2021-4374)
        └── readme.txt           # Plugin info
```

## Security Notes

⚠️ **This environment contains a known vulnerability**

**For use only in:**
- Security research
- Template testing
- Educational purposes
- Controlled lab environments

**DO NOT:**
- Expose to the internet
- Use in production
- Test against unauthorized targets

## Troubleshooting

### Plugin Not Found (404)

```bash
docker cp ./vulnerable-plugin/wp-automatic wp-automatic-wordpress:/var/www/html/wp-content/plugins/
docker compose restart
```

### WordPress Not Loading

```bash
docker compose restart
sleep 60
curl http://localhost:8080
```

### Port 8080 Already in Use

Edit `docker-compose.yml` and change the port:
```yaml
ports:
  - "9090:80"  # Change 8080 to any available port
```

See **[SETUP-INSTRUCTIONS.md](SETUP-INSTRUCTIONS.md)** for more troubleshooting.

## Environment Details

| Component | Version |
|-----------|---------|
| WordPress | 5.8 |
| MySQL | 5.7 |
| PHP | 7.4.27 |
| Apache | 2.4.51 |
| WP Automatic | 3.53.2 (vulnerable) |

## Validation Results

The template has been validated with:
- ✅ Syntax validation passed
- ✅ TRUE POSITIVE: Detects vulnerable installations
- ✅ FALSE NEGATIVE: None
- ✅ FALSE POSITIVE: None (tested against example.com)
- ✅ Performance: 21-24ms per scan

## Contributing

Issues and improvements are welcome! Please:
1. Test your changes
2. Document any modifications
3. Follow security best practices

## References

- [CVE-2021-4374 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-4374)
- [Security Advisory](https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/)
- [WPScan Database](https://wpscan.com/plugin/wp-automatic)
- [Nuclei Documentation](https://docs.projectdiscovery.io/)

## License

This testing environment is provided for educational and security research purposes only. Use responsibly and ethically.

## Disclaimer

This is a **minimal recreation** of the vulnerable plugin components for testing purposes. It is **NOT** the actual commercial WP Automatic plugin. The recreation contains only the necessary code to demonstrate CVE-2021-4374.

All testing should be conducted in controlled environments with proper authorization.

---

**Author:** pranjal-negi  
**Date:** 2025-11-10  
**Status:** Validated and Production-Ready

File Snapshot

Remarks