WordPress Plugin Vulnerabilities

Popup Builder < 4.0.7 - LFI to RCE

Description

The plugin does not validate and sanitise the sgpb_type parameter before using it in a require statement, leading to a Local File Inclusion issue. Furthermore, since the beginning of the string can be controlled, the issue can lead to RCE vulnerability via wrappers such as PHAR

Proof of Concept

Create a zip archive with a Popup.php contains PHP code, upload it via a low privilege account (by default author and above can upload files, however the blog may allow subscriber to do so, via a plugin, form etc)

https://example.com/index.php?sgpb_type=phar://wp-content/uploads/2021/12/1.zip/

Affects Plugins

Plugin icon
popup-builder
Fixed in 4.0.7

References

CVE
CVE-2021-25082
URL
https://plugins.trac.wordpress.org/changeset/2659117

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
ZhongFu Su(JrXnm) of Wuhan University
Submitter
ZhongFu Su(JrXnm) of Wuhan University
Submitter website
https://blog.szfszf.top
Submitter twitter
JrXnm
Verified
Yes
WPVDB ID
0f90f10c-4b0a-46da-ac1f-aa6a03312132

Timeline

Publicly Published
2022-01-24 (about 2 years ago)
Added
2022-01-24 (about 2 years ago)
Last Updated
2022-09-26 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
Vitamin 1.0 - add_headers.php path Parameter Traversal Arbitrary File Access
Published
2016-08-15
Title
Ajax Load More <= 2.11.1 - Local File Inclusion (LFI)
Published
2014-12-08
Title
Ajax Store Locator <= 1.2 - Arbitrary File Download
Published
2012-06-18
Title
Wp-ImageZoom <= 1.0.4 - File Disclosure
Published
2023-09-25
Title
NextGEN Gallery < 3.39 - Admin+ Local File Inclusion