WordPress plugin Asset manager upload.php Arbitrary Code Execution
The 'Inj3ct0r Team' compromised an ExploitHub.com database and released a file publicly which contained some of the data about the exploits that ExploitHub buy and sell.
I saw the file yesterday, had a quick skim over it, but didn't think too much of it. That is until WPScan team member @gbrindisi pointed out that it contained 2 WordPress plugin vulnerabilities.
The vulnerability details and exploits are likely in the hands of the Inj3ct0r Team and god knows who else. We found the latest 'asset-manager' plugin (version 0.3) to be vulnerable and created a simple PoC. The 'wp-property' plugin did not contain the 'uploadify.php' file which is stated to be vulnerable, did they buy/sell vulnerabilities that hadn't been verified? The 'asset-manager' plugin is not as popular as the 'wp-property' plugin and has only been downloaded ~700 times.
The 'asset-manager' vulnerability title states that the vulnerability lies within the 'upload.php' file. Taking a look at this file it is obvious to see why it is vulnerable.
The most important lines in this file are lines 8 and 15. Line 8 ensures that the file is only accesible to users with the 'edit_pages' permission. Line 15 checks that the file extension is not 'php', if it is, throw an error. (line 22 is likely to be vulnerable to XSS but this was not verified)
PHP by default can interpret code in files with extensions such as 'php3'. To exploit the above issue all you have to do is trick an authenticated user with sufficient privileges to send a file with the 'php3' (or variant) extension containing malicious PHP code to the server.
Here is a basic PoC:
The 'product_price' column in the Inj3ct0r leak says '25.0000',
what currency this is and the exact amount I don't know. It could be $25 or $25,000 . Either way, it shows that there is a market big or small for WordPress plugin vulnerabilities.
This will be added to the WPScan databases so don't forget to update!
(only after doing the research and writing the blog post did I realise that it wasn't such a popular plugin, one more for the WPScan database anyway :)