WordPress Plugin Vulnerabilities
Autoptimize < 2.7.8 - Arbitrary File Upload via "Import Settings"
Description
The plugin attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the "Import Settings" functionality to achieve Remote Code Execution.
Proof of Concept
Regularly, zip which contained a PHP file was extracted, but the PHP extension was not on a white list so it was removed from the disk afterwards. It turned out that it is possible to upload a zip which contained a directory with PHP file in it and then it was not removed from the disk. Upload can be done using Import Settings functionality available in the following directory: http://localhost:8000/wp-content/uploads/ao_ccss/dir/wp-admin/options-general.php?page=ao_critcss Example content of an archive: $ zip -sf rce.zip Archive contains: dir/ dir/index.php settings.json Total 3 entries (20 bytes) Example content of dir/index.php file: <?php phpinfo() ?> settings.json is an empty file. As you can see, there is a "dir" directory inside a zip which contains index.php file. Both will not be removed from the disk after being extracted. After the upload, file can be accessed by visiting such address: http://localhost:8000/wp-content/uploads/ao_ccss/dir/ Due to the fact that file is named index.php, there was no need to include file name in the address.
Affects Plugins
Fixed in 2.7.8 References
CVE
Miscellaneous
Original Researcher
Marcin Węgłowski
Submitter
Marcin Węgłowski
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2020-10-09 (about 3 years ago)
Added
2021-06-07 (about 2 years ago)
Last Updated
2021-06-29 (about 2 years ago)
WPScan 