AGIL <= 1.0 – Admin+ Arbitrary File Upload | CVE 2021-25119 | Plugin Vulnerabilities

Description

The plugin accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

Proof of Concept

As an admin, set a base folder name(for example, test), upload a zipped PHP file via the Grid Image Listing page of the plugin (https://example.com/wp-admin/admin.php?page=automatic_grid_image_listing).

The file will be located at https://example.com/wp-content/test/<filename.php>

Affects Plugins

automatic-grid-image-listing

No known fix

References

CVE

Miscellaneous

Original Researcher

Chuang LI

Submitter

Chuang LI

Submitter website

https://github.com/CreativeChuang

Verified

Yes

WPVDB ID

47235989-d9f1-48a5-9799-fdef0889bf8a

Timeline

Publicly Published

2022-04-19 (about 2 years ago)

Added

2022-04-19 (about 2 years ago)

Last Updated

2022-04-20 (about 2 years ago)

Other

Published

Title

Published

2021-09-01

Title

Secure File Manager <= 2.9.3 - Admin+ Arbitrary File Upload

Published

2023-01-04

Title

Membership For WooCommerce < 2.1.7 - Unauthenticated Arbitrary File Upload

Published

2014-08-01

Title

drag & drop file upload 0.1 - Arbitrary File Upload

Published

2024-04-05

Title

Import XML and RSS Feeds < 2.1.6 - Authenticated (Administrator+) Arbitrary File Upload

Published

2014-11-25

Title

Gallery Bank <= 3.0.60 - Shell Upload