WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Frontend File Manager < 21.3 - Subscriber+ Arbitrary File Upload

Description

The plugin allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE

Proof of Concept

1. Navigate to the page where [ffmwp] shortcode is included as Subscriber
2. Upload the malicious PHP file as PDF file (e.g., exploit.pdf)
3. View the file and rename it from exploit.pdf to exploit.php

The file will be accessible via https://example.com/wp-content/uploads/user_uploads/<username>/exploit.php

Affects Plugins

nmedia-user-file-uploader
Fixed in version 21.3

References

CVE
CVE-2022-3125

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter
raadfhaddad
Verified

Yes

WPVDB ID
d3d9dc9a-226b-4f76-995e-e2af1dd6b17e

Timeline

Publicly Published

2022-09-07 (about 1 years ago)

Added

2022-09-07 (about 1 years ago)

Last Updated

2022-09-07 (about 1 years ago)

Our Other Services

WPScan WordPress Security Plugin