The Metasploit module wp_admin_shell_upload gives remote authenticated attackers the ability to upload backdoor payloads by utilizing the WordPress plugin upload functionality. The module sends crafted multipart upload requests to /wp-admin/update.php, resulting in backdoor code execution on the target host.
- The attacker uses previously obtained WordPress user credentials to access the WordPress administrator backend and upload a malicious plugin via HTTP request to /wp-admin/update.php.
- WordPress installation installs the provided plugin and offers public access to the installed files.
The attacker must have WordPress installation and a user account of at least plugin upload privilege.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
To mitigate the vulnerability, upgrade to a non-vulnerable version of the plugin.