SP Project & Document Manager < 4.24 – Subscriber+ Shell Upload | CVE 2021-4225 | Plugin Vulnerabilities

Description

The plugin allows any authenticated users, such as subscribers, to upload files. The plugin attempts to prevent PHP and other similar files that could be executed on the server from being uploaded by checking the file extension. It was discovered that on Windows servers, the security checks in place were insufficient, enabling bad actors to potentially upload backdoors on vulnerable sites.

Proof of Concept

1. Create the SP Project & Document Manager page such as 'sp-document'

2. Upload a file and intercept the request.

3. Rename the dlg-upload-file[] parameter from '1.txt' with '1.php.' , it is very important the filename endswith 'php.' .

Affects Plugins

sp-client-document-manager

Fixed in 4.24

References

CVE

URL

https://github.com/pang0lin/CVEproject/blob/main/wordpress_SP-Project_fileupload.md

Miscellaneous

Original Researcher

pang0lin @webray.com.cn inc

Submitter

pang0lin @webray.com.cn inc

Submitter website

https://github.com/pang0lin

Verified

Yes

WPVDB ID

bd1083d1-edcc-482e-a8a9-c8b6c8d417bd

Timeline

Publicly Published

2021-06-28 (about 2 years ago)

Added

2022-03-31 (about 2 years ago)

Last Updated

2022-04-10 (about 2 years ago)

Other

Published

Title

Published

2024-02-23

Title

Brizy – Page Builder < 2.4.41 - Authenticated (Contributor+) Arbitrary File Upload

Published

2014-09-28

Title

N-Media File Uploader < 3.5 Arbitrary File Upload

Published

2021-03-26

Title

WP-Curricul Vitea Free <= 6.3 - Unauthenticated Arbitrary File Upload to RCE

Published

2024-04-12

Title

InstaWP Connect – 1-click WP Staging & Migration < 0.1.0.23 - Unauthenticated Arbitrary File Upload

Published

2014-08-01

Title

Resume Submissions Job Posting <= 2.5.1 - Unrestricted File Upload