The XData Toolkit WordPress plugin is an XML/XSLT transformation engine and database toolkit that uses many sources including MySQL, XML, RSS Feeds, and Web Services. The plugin contains a file upload vulnerability where an attacker is able to upload arbitrary files via SaveTransformUpdateView.php. This is due to a lack of sanitization or authorization when accepting uploads. No authentication is required for successful exploitation of this vulnerability.
Exploitation
Stages
- The attacker makes a form upload to modules/TransformStudio/SaveTransformUpdateView.php containing a PHP payload.
- The plugin accepts the upload due to a lack of sanitization or authorization and moves the file to the public location wp-content/plugins/xdata-toolkit/transforms/client/<filename>.php.
Prerequisites
The public-facing host is running WordPress and a vulnerable version of XData Toolkit.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
To mitigate the vulnerability, upgrade to a non-vulnerable version of the plugin.
Comments
0 comments
Please sign in to leave a comment.