There is an arbitrary file upload vulnerability in the WordPress Plugin wysija-newsletters < 2.6.8. Any call to /wp-admin/admin-post.php executes a hook without requiring the user to be authenticated, making their theme upload functionality available to everybody. An unauthenticated attacker can upload a malicious file to the target server and compromise the system.
Exploitation
Stages
- The remote unauthenticated attacker sends a POST request to ‘wp-admin/admin-post.php?page=wysija_campaign&action=theme’ and uploads a zip file containing a malicious PHP file.
- The server responds with a 302 found and a location header indicating success.
- The attacker interacts with the uploaded file at ‘wp-content/uploads/wysija/themes/<attacker directory>/<attacker file>’.
Prerequisites
The vulnerable plugin must be installed on the target system.
Vulnerability Description
There is an arbitrary file upload vulnerability in the WordPress Plugin wysija-newsletters < 2.6.8. The vulnerability resides in the fact that the developers assumed that the WordPress admin_init hooks were only called when an administrator user visited a page inside /wp-admin/. They used that hook (admin_init) to verify if a specific user was allowed to upload files. However, any call to /wp-admin/admin-post.php also executes this hook without requiring the user to be authenticated, thus making their theme upload functionality available to everybody. An unauthenticated attacker can upload a malicious file to the target server and compromise the system.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
To mitigate the vulnerability, upgrade to a non-vulnerable version of the plugin.
Comments
0 comments
Please sign in to leave a comment.