Thumbnail Carousel Slider < 1.0.1 – Authenticated Shell Upload & CSRF | Plugin Vulnerabilities

Description

The original advisory states that this vulnerability is exploitable with editor and author roles but this is incorrect. Only the administrator role by default can trigger this vulnerability.

However, CSRF on the image upload form makes this exploitable by a malicious actor.

Proof of Concept

Create a file named shell.php.jpg with PHP code in it. Then go to Manage Images section and upload file via self plugin uploader. Intercept the request and change the file name to shell.php.

File was uploaded to http://www.example.com/wp-content/uploads/wp-responsive-images-thumbnail-slider/96b64029012ad7ca3a368fba667938cd.php

Affects Plugins

wp-responsive-thumbnail-slider

Fixed in 1.0.1

References

URL

https://cxsecurity.com/issue/WLB-2015080170

Miscellaneous

Submitter

firefart

Submitter website

https://firefart.at/

Submitter twitter

Verified

Yes

WPVDB ID

2c785942-0641-4e55-96bd-5ab405353002

Timeline

Publicly Published

2015-08-31 (about 10 years ago)

Added

2015-09-02 (about 10 years ago)

Last Updated

2020-12-28 (about 5 years ago)

Other

Published

Title

Published

2015-07-15

Title

Welcart e-Commerce < 1.4.18 - Multiple Vulnerabilities

Published

2020-03-12

Title

Popup Builder < 3.64.1 - Multiple Issues

Published

2015-07-02

Title

WordPress File Upload < 3.0.0 - Multiple Vulnerabilities

Published

2016-03-07

Title

SP Projects & Document Manager < 2.6.0.0 - Multiple Vulnerabilities

Published

2014-12-14

Title

Lightbox Photo Gallery 1.0 - CSRF/XSS