GEO My WordPress < 4.5 – Admin+ Arbitrary File Upload | CVE 2024-9422

Description

The plugin does not sufficiently validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server.

Proof of Concept

Note: this needs both geo-my-wp and its Premium Settings extension to exploit.

1. Navigate to https://example.com/wp-admin/admin.php?page=gmw-tools&tab=map_icons
2. Upload a PHP webshell with the bytes "GIF89a;\x0a" prepended, intercept the request and overwrite the "Content-Type" with "image/gif".
3. The new "icon" (= webshell) is displayed in the icons list.
4. Call the webshell in a browser (no session required) by navigating to https://example.com/wp-content/uploads/geo-my-wp/posts-locator/map-icons/<filename>.php and POST any OS command, which will then be executed by the webshell.