Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE/WP-File-Upload_disclosure_report/
CVE/WP-File-Upload_disclosure_report/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 

CVE-2020-10564

Author: p4w

Twitter: https://twitter.com/p4w16

HTB: https://www.hackthebox.eu/profile/32300

e-mail: riccardo.krauter@gmail.com

The vulnearbility affecting the plugin let a user gain Remote Code Execution by uploading a simple .jpg or .txt file by abusing a directory traversal.
WordPress File Upload is a plugin for WordPress. I manage to find a directory traversal vuln. on the file upload functionality. It's possible to use this vulnerability to gain RCE by uploading a file (doesn't matter the extension) inside the lib directory of the plugin. The RCE can be triggered from an unathenticated user, also it doesn't require any admin interaction.
Why this work?
Well, thnx to this: alt include-all-code this piece of code shows that the function wfu_include_lib() will include_once all the file in the lib directory (extension does not matter). Then we can use the path traversal to wrtite a file inside that directory to gain RCE. This function will be called automatically every time the plugin is present in a page by the init page (you can check the file wfu_loader.php).
Here you can find the report that I shared with the mainteiner of the plugin, inside it you can find the PoC to reproduce the issue.
Here you can find a simple python script exploit. Example usage:

$ python exploit.py http://localhost/wordpress/test-wp-file-upload-plugin/ /wordpress

Enjoy the own4ge.

Cheers, p4w