WordPress Advanced Uploader 4.2 Shell Upload

WordPress Advanced Uploader plugin versions 4.2 and below suffer from a remote shell upload vulnerability.

SHA-256 | d6da47e9cfa89f863bdbab26f72fb5536450efbf87365b7899f665f69f1edd2a

# Exploit Title: WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated)
# Google Dork: -
# Date: 2022-03-13
# Exploit Author: Roel van Beurden
# Vendor Homepage: -
# Software Link: https://downloads.wordpress.org/plugin/advanced-uploader.4.2.zip
# Version: <=4.2
# Tested on: WordPress 5.9 on Ubuntu 18.04
# CVE: CVE-2022-1103

1. Description:
WordPress Plugin Advanced Uploader <=4.2 allows authenticated arbitrary file upload. Any file(type) can be uploaded. A malicious user can perform remote code execution on the backend webserver.

2. Proof of Concept:
- Upload file/webshell/backdoor with the Advanced Uploader plugin;
- File is uploaded in the Wordpress Media Library;
- Go to /wp-content/uploads/ where the file is saved;
- Click on the uploaded file for whatever it's supposed to do (RCE, reverse shell).

3. Exploitation demo:

Related Posts