Drag and Drop Multiple File Upload – Contact Form 7 by CodeDropz WordPress plugin Non-Arbitrary File Upload
LANAVDB ID: a9e6e1de-7ee2-4ebf-aff0-a609860e8b58
The plugin was affected by a Non-Arbitrary File Upload and CSRF vulnerabilities. The two vulnerabilities allow us to upload files to the server, even with a script.
Note: The interesting thing is that it also works without a form_id, so we can upload a file even if the file upload field has not been added to any form.
Let’s see how we can exploit this vulnerability
Since the function does not implement nonce check, it is CSRF vulnerable. Therefore, we have the option to upload files using a script.
The easiest way is to create an exploit.html file:
For security reasons, I modified the plugin to replace the uploaded file with a demo file with different content, so it is not possible to upload malicious files in the sandbox and use the sandbox website as a public file server.
If the file upload is successful, you will be redirected to the image file corresponding to the file type. If the file upload failed and the file does not exist, a not found error message will be displayed.
Drag and Drop Multiple File Upload – Contact Form 7 by CodeDropz WordPress plugin Non-Arbitrary File Upload
LANAVDB ID: a9e6e1de-7ee2-4ebf-aff0-a609860e8b58
The plugin was affected by a Non-Arbitrary File Upload and CSRF vulnerabilities. The two vulnerabilities allow us to upload files to the server, even with a script.
Note: only limited file types can be uploaded.
Let’s check the plugin
The plugin add the following action hook:
The
dnd_upload_cf7_upload()
function includes the following request handling:then upload the file:
Note: The interesting thing is that it also works without a
form_id
, so we can upload a file even if the file upload field has not been added to any form.Let’s see how we can exploit this vulnerability
Since the function does not implement nonce check, it is CSRF vulnerable. Therefore, we have the option to upload files using a script.
The easiest way is to create an
exploit.html
file:Try it
For security reasons, I modified the plugin to replace the uploaded file with a demo file with different content, so it is not possible to upload malicious files in the sandbox and use the sandbox website as a public file server.
If the file upload is successful, you will be redirected to the image file corresponding to the file type. If the file upload failed and the file does not exist, a not found error message will be displayed.
File upload exploit URL: https://lana.solutions/vdb/codedropz-dnd-upload-contact-form-7/exploit.html
Uploaded file URL:
References
Attributes
Classification
Researcher
Tags
Let's discuss