There is an arbitrary file upload in the WordPress plugin 360-product-rotation <1.2.1. The vulnerability resides within the file ‘plugin-media-upload.php’. An attacker can send a request to this file in which they upload a zip file that gets extracted into the upload directory of the WordPress application. The file lacks any sanitization/authentication checks allowing an unauthenticated user to upload executable files to the server.
Exploitation
Stages
- A remote unauthenticated attacker sends a POST request to a server running a vulnerable version of the WP plugin ‘360-product-rotation’. The attacker has zipped their malicious file to upload it to the server and sent the request to ‘plugin-media-upload.php’.
- The server responds with a 200 OK and no data in the response body.
- The attacker requests their uploaded file at ‘wp-content/uploads/yofla360/<filename>/<filename>.php’.
Prerequisites
The victim must be running a vulnerable version of the plugin. The patched plugin includes code to search for executable files in the zip file (the executable file has to be wrapped in a zip file).
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
To mitigate the vulnerability, upgrade to a non-vulnerable version of the plugin.
Comments
0 comments
Please sign in to leave a comment.