AGIL <= 1.0 – Admin+ Arbitrary File Upload | CVE 2021-25119 | Plugin Vulnerabilities

Description

The plugin accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

Proof of Concept

As an admin, set a base folder name(for example, test), upload a zipped PHP file via the Grid Image Listing page of the plugin (https://example.com/wp-admin/admin.php?page=automatic_grid_image_listing).

The file will be located at https://example.com/wp-content/test/<filename.php>

Affects Plugins

automatic-grid-image-listing

No known fix

References

CVE

Miscellaneous

Original Researcher

Chuang LI

Submitter

Chuang LI

Submitter website

https://github.com/CreativeChuang

Verified

Yes

WPVDB ID

47235989-d9f1-48a5-9799-fdef0889bf8a

Timeline

Publicly Published

2022-04-19 (about 2 years ago)

Added

2022-04-19 (about 2 years ago)

Last Updated

2022-04-20 (about 2 years ago)

Other

Published

Title

Published

2013-01-04

Title

Eptonic - Valums Uploader Shell Upload Exploit

Published

2015-03-07

Title

WooThemes Daily Edition <= 1.6.2 - Unrestricted File Upload

Published

2014-08-01

Title

Asset Manager 0.2 - Arbitrary File Upload

Published

2023-08-28

Title

Prevent files / folders access < 2.5.2 - Admin+ Arbitrary File Upload

Published

2023-12-27

Title

BERTHA AI Plugin < 1.11.10.8 - Unauthenticated Arbitrary File Upload