Theme-Demo-Importer < 1.1.1 – Admin+ Arbitrary File Upload | CVE 2022-1538 | Plugin Vulnerabilities

Description

The plugin does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed.

Proof of Concept

1. Navigate to: Appearance >Import Demo Content > Theme Demo Importer > Manually upload the demo files

2. Use the XML file import option to upload a PHP file containing this content:
<?php phpinfo();?>

3. Find the file at https://example.com/wp-content/uploads/YYYY/MM/your-file.php

Affects Plugins

theme-demo-import

Fixed in 1.1.1

References

CVE

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

ccltt1201

Submitter

ccltt1201

Verified

Yes

WPVDB ID

b19adf7c-3983-487b-9b46-0f2922b08c1c

Timeline

Publicly Published

2022-11-08 (about 1 years ago)

Added

2022-11-08 (about 1 years ago)

Last Updated

2022-11-08 (about 1 years ago)

Other

Published

Title

Published

2020-04-19

Title

Media Library Assistant < 2.82 - Authenticated RCE

Published

2014-11-20

Title

CM Download Manager < 2.0.4 - Unauthenticated Code Injection

Published

2022-12-23

Title

User Post Gallery <= 2.19 - Unauthenticated RCE

Published

2023-08-28

Title

Import XML and RSS Feeds < 2.1.4 - Admin+ Arbitrary File Upload

Published

2019-03-11

Title

WP Live Chat Support Pro < 8.0.0.7 - Unauthenticated RCE