There exists an arbitrary file upload vulnerability in all versions of WordPress Marketplace (currently removed from the WordPress.org plugin directory). The vulnerability exists due to the wpmp_upload_previews() method making no attempt to validate input. The vulnerability publicly serves up the upload directory and executes PHP that is requested. The plugin is currently unsupported.
Exploitation
Stages
- An attacker sends an upload request to a vulnerable WordPress instance containing an arbitrary file.
- The server responds with a ‘200’ response code and the name of the uploaded file with ‘wpdm-adp-‘ appended to the beginning of the file name concatenated with a time stamp. The name of the uploaded file follows.
- The attacker requests the uploaded file from the directory ‘/wp-content/uploads/wpmp-previews/’. PHP will then be executed.
Prerequisites
The attack is unauthenticated and needs to be posted to an endpoint with ‘task=wpmp_upload_previews’.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Upgrade to a non-vulnerable version to mitigate this vulnerability.
Comments
0 comments
Please sign in to leave a comment.