# Exploit Title: Wordpress Plugin Wp Insert - 'Fckeditor' Arbitrary File Upload
# Exploit Author: Mostafa Gharzi
# Website: https://www.certcc.ir
# Date: 2018-09-27
# Google Dork: /wp-content/plugins/wp-insert
# Vendor: Namith Jawahar
# Software Link: https://wordpress.org/plugins/wp-insert/
# Affected Version: 2.4.2 and before
# Active installations: 30,000+
# Patched Version: unpatched
# Category: Web Application
# Platform: PHP
# Tested on: Win10x64 & Kali Linux
# 1. Plugin Description:
# WP-INSERT by SmartLogix : The Ultimate Adsense / Ad-Management Plugin for
WordPress (Optimized for Adsense)
# Wp-Insert is the most powerful yet easiest to use wordpress ad management
/ ad insertion plugin which does
# a lot more than ad management / insertion.
# 2. Technical Description:
# WordPress Plugin Wp-Insert 2.4.2 and Before allows the attacker to upload
or transfer files of dangerous types
# that can be automatically processed within the product's environment.This
vulnerability is caused by FCKeditor
# in this plugin. Uploaded files represent a significant risk to
applications. The first step in many attacks is
# to get some code to the system to be attacked. Then the attack only needs
to find a way to get the code executed.
# Using a file upload helps the attacker accomplish the first step.The
consequences of unrestricted file upload can vary,
# including complete system takeover, an overloaded file system or
database, forwarding attacks to back-end systems,
# client-side attacks, or simple defacement. It depends on what the
application does with the uploaded file and especially
# where it is stored.
# 3. Proof Of Concept (PoC):
# http://localhost/wp-content/plugins/wp-insert/fckeditor/editor/filemanager/connectors/uploadtest.html
# http://localhost/wp-content/plugins/wp-insert/fckeditor/editor/filemanager/connectors/test.html
# http://localhost/wp-content/plugins/wp-insert/fckeditor/editor/filemanager/browser/default/browser.html
# 4. Demo:
# https://www.rtiprofi.com/wp-content/plugins/wp-insert/fckeditor/editor/filemanager/connectors/uploadtest.html