WordPress Plugin Vulnerabilities
Frontend File Manager < 21.3 - Subscriber+ Arbitrary File Upload
Description
The plugin allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE
Proof of Concept
1. Navigate to the page where [ffmwp] shortcode is included as Subscriber 2. Upload the malicious PHP file as PDF file (e.g., exploit.pdf) 3. View the file and rename it from exploit.pdf to exploit.php The file will be accessible via https://example.com/wp-content/uploads/user_uploads/<username>/exploit.php
Affects Plugins
References
CVE
Miscellaneous
Original Researcher
Raad Haddad of Cloudyrion GmbH
Submitter
Raad Haddad of Cloudyrion GmbH
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-09-07 (about 1 years ago)
Added
2022-09-07 (about 1 years ago)
Last Updated
2022-09-07 (about 1 years ago)