[align=center]Plugin Buddypress Xprofile Custom Fields Type 2.6.3 Arbitrary File Deletion – Unlink[/align][align=left]
[align=center]
[/align]
[/align]
کد:
Details Name : Buddypress Xprofile Custom Fields Type Version : 2.6.3 Homepage : https://wordpress.org/plugins/buddypress-xprofile-custom-fields-type/ Type Arbitrary File Deletion Remote Code Execution - RCE Description Type user access: any user registered used in BuddyPress. $_POST[ 'field_' . $field_id . '_hiddenfile' ] is not escaped. $_POST[ 'field_' . $field_id . '_deleteimg' ] is not escaped. Code File: wp-conent/plugin/buddypress-xprofile-custom-fields-type/bp-xprofile-custom-fields-type.php Lines: 452, 472, 496, 513, 568, 579 Examples: unlink( $uploads['basedir'] . $_POST[ 'field_' . $field_id . '_hiddenfile' ] ); unlink( $uploads['basedir'] . $_POST[ 'field_' . $field_id . '_hidd
[/align]
کد:
Proof Concept https://www.youtube.com/watch?v=uIO_DvWCM3s 1- Log in with BuddyPress User 2 - Access Edit Profile: http://target/members/admin/profile/edit/ 3 - Register data with image Change parameter sours code to delete image in html and save profile wp-config deleted and restart the all system