WordPress Plugin Vulnerabilities
BuddyForms < 2.7.8 - Unauthenticated PHAR Deserialization
Description
The plugin does not validate the url parameter of its upload_image_from_url AJAX action, which could allow unauthenticated attackers to perform PHAR deserialisation granted they an upload a file to the server and a suitable gadget chain is present as well
Proof of Concept
1. Create a malicious phar file. 2. Upload the malicious phar file as an image via the upload_image_from_url action. 3. Call the file with the phar:// wrapper using the same action.
Affects Plugins
References
CVE
Classification
Type
OBJECT INJECTION
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Joshua Martinelle (Tenable Research)
Verified
No
WPVDB ID
Timeline
Publicly Published
2023-02-23 (about 1 years ago)
Added
2023-02-24 (about 1 years ago)
Last Updated
2023-02-24 (about 1 years ago)