Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload

vendor:

WP Super Edit

by:

h4shur

8.8

CVSS

HIGH

Unrestricted File Upload

434

CWE

Product Name: WP Super Edit

Affected Version From: 2.5.4

Affected Version To: 2.5.4

Patch Exists: YES

Related CWE: N/A

CPE: a:wordpress:wordpress:2.5.4

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 & Google Chrome

2021

WordPress Plugin WP Super Edit 2.5.4 – Remote File Upload

WordPress Plugin 'wp-super-edit' allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This vulnerability is caused by FCKeditor in this plugin. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement.

Mitigation:

Developers should ensure that uploaded files are validated and filtered based on the expected file type and size. The application should also check the file header and content to ensure that the file is not malicious. Additionally, the application should store the uploaded files in a non-executable directory.

Source

Exploit-DB raw data:

# Title: Wordpress Plugin WP Super Edit 2.5.4 - Remote File Upload
# Author: h4shur
# date: 2021-05-06
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/plugins/wp-super-edit/
# Version : 2.5.4 and earlier
# Tested on: Windows 10 & Google Chrome
# Category : Web Application Bugs
# Dork :
# inurl:"wp-content/plugins/wp-super-edit/superedit/"
# inurl:"wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/"

### Note:

# 1. Technical Description:
This plugin allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.

# 2. Technical Description:
WordPress Plugin "wp-super-edit" allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This vulnerability is caused by FCKeditor in this plugin. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.

### POC:

* Exploit 1 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/browser.html
* Exploit 2 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/connectors/test.html
* Exploit 3 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/upload/test.html
* Exploit 4 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/frmupload.html