WordPress Plugin Advanced Uploader 4.2 – Arbitrary File Upload (Authenticated)

• Exploit Database
• 41 阅读

• 作者： Roel van Beurden
  日期： 2022-05-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/50895/

• # Exploit Title: WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated)
  # Google Dork: -
  # Date: 2022-03-13
  # Exploit Author: Roel van Beurden
  # Vendor Homepage: -
  # Software Link: https://downloads.wordpress.org/plugin/advanced-uploader.4.2.zip
  # Version: <=4.2
  # Tested on: WordPress 5.9 on Ubuntu 18.04
  # CVE: CVE-2022-1103
  
  
  1. Description:
  ----------------------
  WordPress Plugin Advanced Uploader <=4.2 allows authenticated arbitrary file upload. Any file(type) can be uploaded. A malicious user can perform remote code execution on the backend webserver.
  
  
  2. Proof of Concept:
  ----------------------
  - Upload file/webshell/backdoor with the Advanced Uploader plugin;
  - File is uploaded in the WordPress Media Library;
  - Go to /wp-content/uploads/ where the file is saved;
  - Click on the uploaded file for whatever it's supposed to do (RCE, reverse shell).
  
  
  3. Exploitation demo:
  ----------------------
  https://www.youtube.com/watch?v=Bwpf-IpxtXQ