WordPress Plugin Vulnerabilities

WP All Import < 3.6.8 - Admin+ Arbitrary File Upload

Description

The plugin accepts all zip files and automatically extracts the zip file without validating the extracted file type. Allowing high privilege users such as admin to upload an arbitrary file like PHP, leading to RCE

Proof of Concept

As an admin upload a php file containing the palyload zipped along with a valid XML file via the New Import Upload page of the plugin:
https://example.com//wp-admin/admin.php?page=pmxi-admin-import

When the upload finishes you'll be able to find the random directory it was sent to by checking the links on the source code of the Managed Imports page:
http://example.com/wp-admin/admin.php?page=pmxi-admin-manage

The file will be located at something like:
https://example.com/wp-content/uploads/wpallimport/uploads/f8ac124b335362e2faed2da06d2123d5/folder/filename.php

Affects Plugins

Plugin icon
wp-all-import
Fixed in 3.6.8

References

CVE
CVE-2022-2268

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
moresec
Submitter
moresec
Submitter website
https://github.com/Jamesusername
Verified
Yes
WPVDB ID
578093db-a025-4148-8c4b-ec2df31743f7

Timeline

Publicly Published
2022-07-01 (about 1 years ago)
Added
2022-06-30 (about 1 years ago)
Last Updated
2023-04-05 (about 1 years ago)

Other

Published
Title
Published
2020-04-27
Title
Simple File List < 4.2.3 - Unauthenticated Arbitrary File Upload RCE
Published
2023-12-15
Title
Duplicator < 1.3.0 - Unauthenticated RCE
Published
2014-09-22
Title
Flash Uploader <= 3.1.2 - Arbitrary Comm& Execution
Published
2022-12-23
Title
User Post Gallery <= 2.19 - Unauthenticated RCE
Published
2022-06-28
Title
Import any XML or CSV File to WordPress < 3.6.8 - Admin+ Arbitrary Code Execution