WordPress Plugin Vulnerabilities

Everest Backup < 2.2.5 - Admin+ Arbitrary File Upload

Description

The plugin does not properly validate backup files to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

Proof of Concept

1. Go to the plugin setting and in the "Restore" section upload the backup file by the "Select File" button(.ebwp format). Select an a file on your computer with the `.ebwp` extension. It must have some contents to pass the plugins validation check. As a PoC, add `<?php echo system($_GET['cmd']); ?>`
2. Capture the HTTP request and in "Content-Disposition:" change the file extension `.php`.
3. Check the response of the HTTP request and if the upload was successful the status code will be "200" and in the body, you can see the path of your file.
4. Open the file and run the code, i.e `cmd.php?cmd=ls` open the file and run your code. In this example, you will get a directory listing.

Affects Plugins

Plugin icon
everest-backup
Fixed in 2.2.5

References

CVE
CVE-2023-7201
YouTube Video

Miscellaneous

Original Researcher
Emad
Submitter
Emad
Submitter website
https://arganex.top/
Submitter twitter
ArganexEmad
Verified
Yes
WPVDB ID
64ba4461-bbba-45eb-981f-bb5f2e5e56e1

Timeline

Publicly Published
2024-03-25 (about 1 months ago)
Added
2024-03-25 (about 1 months ago)
Last Updated
2024-03-25 (about 1 months ago)

Other

Published
Title
Published
2014-08-01
Title
Gravity Upload Ajax <= 1.1 - Arbitrary File Upload
Published
2014-08-01
Title
Anthology - Remote File Upload
Published
2021-01-19
Title
e-signature < 1.5.6.8 - Unauthenticated Arbitrary File Upload leading to RCE
Published
2021-04-30
Title
Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE
Published
2021-03-26
Title
Easy Form Builder by Bitware <= 1.0 - Authenticated Arbitrary File Upload