Frontend File Manager < 21.3 – Subscriber+ Arbitrary File Upload | CVE 2022-3125 | Plugin Vulnerabilities

Description

The plugin allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE

Proof of Concept

1. Navigate to the page where [ffmwp] shortcode is included as Subscriber
2. Upload the malicious PHP file as PDF file (e.g., exploit.pdf)
3. View the file and rename it from exploit.pdf to exploit.php

The file will be accessible via https://example.com/wp-content/uploads/user_uploads/<username>/exploit.php

Affects Plugins

nmedia-user-file-uploader

Fixed in 21.3

References

CVE

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter

Verified

Yes

WPVDB ID

d3d9dc9a-226b-4f76-995e-e2af1dd6b17e

Timeline

Publicly Published

2022-09-07 (about 1 years ago)

Added

2022-09-07 (about 1 years ago)

Last Updated

2022-09-07 (about 1 years ago)

Other

Published

Title

Published

2014-08-01

Title

Islidex 2.7 - Shell Upload

Published

2014-08-01

Title

Cimy User Extra Fields - Arbitrary File Upload

Published

2014-08-01

Title

Ghost - Arbitrary File Upload

Published

2014-08-01

Title

Rekt Slideshow 1.0.5 - Shell Upload

Published

2022-07-18

Title

Directorist - Business Directory Plugin < 7.2.3 - Admin+ Arbitrary File Upload