WordPress WP Insert 2.4.2 Arbitrary File Upload

2018.09.27
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-264

# Exploit Title: Wordpress Plugin Wp Insert - 'Fckeditor' Arbitrary File Upload # Exploit Author: Mostafa Gharzi # Website: https://www.certcc.ir # Date: 2018-09-27 # Google Dork: /wp-content/plugins/wp-insert # Vendor: Namith Jawahar # Software Link: https://wordpress.org/plugins/wp-insert/ # Affected Version: 2.4.2 and before # Active installations: 30,000+ # Patched Version: unpatched # Category: Web Application # Platform: PHP # Tested on: Win10x64 & Kali Linux # 1. Plugin Description: # WP-INSERT by SmartLogix : The Ultimate Adsense / Ad-Management Plugin for WordPress (Optimized for Adsense) # Wp-Insert is the most powerful yet easiest to use wordpress ad management / ad insertion plugin which does # a lot more than ad management / insertion. # 2. Technical Description: # WordPress Plugin Wp-Insert 2.4.2 and Before allows the attacker to upload or transfer files of dangerous types # that can be automatically processed within the product's environment.This vulnerability is caused by FCKeditor # in this plugin. Uploaded files represent a significant risk to applications. The first step in many attacks is # to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. # Using a file upload helps the attacker accomplish the first step.The consequences of unrestricted file upload can vary, # including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, # client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially # where it is stored. # 3. Proof Of Concept (PoC): # http://localhost/wp-content/plugins/wp-insert/fckeditor/editor/filemanager/connectors/uploadtest.html # http://localhost/wp-content/plugins/wp-insert/fckeditor/editor/filemanager/connectors/test.html # http://localhost/wp-content/plugins/wp-insert/fckeditor/editor/filemanager/browser/default/browser.html # 4. Demo: # https://www.rtiprofi.com/wp-content/plugins/wp-insert/fckeditor/editor/filemanager/connectors/uploadtest.html


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top