Lucene search

K
wpvulndbTomi AshariWPVDB-ID:BC7D4774-FCE8-4B0B-8015-8EF4C5B02D38
HistoryOct 11, 2021 - 12:00 a.m.

Loco Translate < 2.5.4 - Authenticated PHP Code Injection

2021-10-1100:00:00
Tomi Ashari
wpscan.com
7

0.001 Low

EPSS

Percentile

31.1%

The plugin mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated “translator” users being able to inject PHP code into files ending with .php in web accessible locations.

PoC

1. Using a User with the translator role, navigate to Loco Translate Menu > Plugins (or Themes) 2. Choose a Plugin or Theme which does not have a translation template already. 3. In the Advanced Tab, modify the Project Name by adding PHP Code like in the name field. 4. Save and Go back to Overview Tab, Click “+ Create Template”, Then click the Create Template Button 5. Intercept or replay the request made when clicking the Create Template Button, change the name of the file being saved and be sure it ends with .php 6. The plugin will save the template file now ending in .php (step 5) with the name value (from step 3) saved within it, in a web accessible location. Access this file to have the web server run the PHP code. https://www.youtube.com/watch?v=OgcdDU9z7ls

CPENameOperatorVersion
loco-translatelt2.5.4

0.001 Low

EPSS

Percentile

31.1%

Related for WPVDB-ID:BC7D4774-FCE8-4B0B-8015-8EF4C5B02D38