WordPress Plugin Vulnerabilities

Import WP < 2.4.6 - Admin+ Arbitrary File Upload to RCE

Description

The plugin does not validate the imported file in some cases, allowing high privilege users such as admin to upload arbitrary files (such as PHP), leading to RCE

Proof of Concept

Import a PHP file via an URL [Tools > Import WP > Add Importer (put any name, and post template) > Create Importer > Remote File (select any file type)], eg: https://example.com/info.php (content of info.php:<?php phpinfo();?>)

Intercept the response to get the path of the file (via the file[src], eg: 06-2-info.php) and append that https://WP/wp-content/uploads/<year>/<month>, eg: https://WP/wp-content/uploads/2022/04/06-2-info.php

Affects Plugins

Plugin icon
jc-importer
Fixed in 2.4.6

References

CVE
CVE-2022-1273

Miscellaneous

Original Researcher
ericfrank900528
Submitter
ericfrank900528
Verified
Yes
WPVDB ID
ad99b9ba-5f24-4682-a787-00f0e8e32603

Timeline

Publicly Published
2022-04-11 (about 2 years ago)
Added
2022-04-11 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)

Other

Published
Title
Published
2014-08-01
Title
1 Flash Gallery - Arbitrary File Upload Exploit (MSF)
Published
2021-10-05
Title
MStore API < 3.4.5 - Unauthenticated PHP File Upload
Published
2023-11-20
Title
Theme Editor < 2.8 - Admin+ Arbitrary File Upload
Published
2024-03-25
Title
Everest Backup < 2.2.5 - Admin+ Arbitrary File Upload
Published
2014-08-01
Title
Verve Meta Boxes 1.2.8 - Shell Upload