Frontend File Manager < 21.3 – Subscriber+ Arbitrary File Upload | CVE 2022-3125 | Plugin Vulnerabilities

Description

The plugin allows any authenticated users, such as subscriber, to rename a file to an arbitrary extension, like PHP, which could allow them to basically be able to upload arbitrary files on the server and achieve RCE

Proof of Concept

1. Navigate to the page where [ffmwp] shortcode is included as Subscriber
2. Upload the malicious PHP file as PDF file (e.g., exploit.pdf)
3. View the file and rename it from exploit.pdf to exploit.php

The file will be accessible via https://example.com/wp-content/uploads/user_uploads/<username>/exploit.php

Affects Plugins

nmedia-user-file-uploader

Fixed in 21.3

References

CVE

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter

Verified

Yes

WPVDB ID

d3d9dc9a-226b-4f76-995e-e2af1dd6b17e

Timeline

Publicly Published

2022-09-07 (about 3 years ago)

Added

2022-09-07 (about 3 years ago)

Last Updated

2022-09-07 (about 3 years ago)

Other

Published

Title

Published

2023-08-22

Title

Jupiter X Core Premium < 3.3.8 - Unauthenticated Arbitrary File Upload

Published

2016-08-01

Title

Estatik < 2.3.1 - Arbitrary File Upload

Published

2026-01-15

Title

g-FFL Checkout < 2.1.1 - Unauthenticated Arbitrary File Upload

Published

2024-10-25

Title

Wux Blog Editor <= 3.0.0 - Unauthenticated Arbitrary File Upload

Published

2024-04-05

Title

WP Photo Album Plus < 8.6.03.005 - Authenticated (Subscriber+) Arbitrary File Upload