Advertisement






WordPress Monsters-Editor-10-For-WP-Super-Edit Plugins 2.3.1 Remote Shell Upload Vulnerability

CVE Category Price Severity
CWE-264 Not specified High
Author Risk Exploitation Type Date
Unknown High Remote 2018-12-20
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018120183

Below is a copy:

WordPress Monsters-Editor-10-For-WP-Super-Edit Plugins 2.3.1 Remote Shell Upload Vulnerability
###########################################################################################################

# Exploit Title : WordPress Monsters-Editor-10-For-WP-Super-Edit Plugins 2.3.1 Remote Shell Upload Vulnerability
# Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army
# Date : 20/12/2018
# Vendor Homepage : thedevcouple.com ~ wordpress.org/plugins/monsters-editor-10-for-wp-super-edit/
+ github.com/wp-plugins/monsters-editor-10-for-wp-super-edit
# Software Download Link : downloads.wordpress.org/plugin/monsters-editor-10-for-wp-super-edit.zip
# Tested On : Windows and Linux
# Category : WebApps
# Version Information : 2.1 and 2.3.1
# Exploit Risk : Medium
# Google Dorks : inurl:''/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/''
+ intext:''Using the fMulti theme design by Fredrik Fahlstad Proudly powered by WordPress.''
+ intext:''Website Design by Cynscreations.com.''
+ intext:''Powered by Aquino Media | Designed by Aquino Media Group''
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
+ CWE-434: Unrestricted Upload of File with Dangerous Type
# Visit Web Security Blog and Forum : cyberizm.org [ Team ] ~ ayarsecurity.com [ Friend ]

###########################################################################################################

# Exploit : 

/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html

/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/browser/default/browser.html

/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/browser/default/frmupload.html

# Directory File Path : 

/wp-content/uploads/......

/wp-content/uploads/[YEAR]/[MONTH]....

#################################################################################################

# Note : This plugin Monsters-Editor-10-For-WP-Super-Edit contains a very serious vulnerability that allowed hackers to gain full control  

modify, upload and execute files on any website running WordPress. With the plugin installed on a certain website, 

a hacker or malicious person can gain access to the web server via HTTP through a backdoor in the plugins directory.

###########################################################################################################

Vulnerable File Code => /test.html

********************************

<!--
 * FCKeditor - The text editor for Internet - http://www.fckeditor.net
 * Copyright (C) 2003-2007 Frederico Caldeira Knabben
 *
 * == BEGIN LICENSE ==
 *
 * Licensed under the terms of any of the following licenses at your
 * choice:
 *
 *  - GNU General Public License Version 2 or later (the "GPL")
 *    http://www.gnu.org/licenses/gpl.html
 *
 *  - GNU Lesser General Public License Version 2.1 or later (the "LGPL")
 *    http://www.gnu.org/licenses/lgpl.html
 *
 *  - Mozilla Public License Version 1.1 or later (the "MPL")
 *    http://www.mozilla.org/MPL/MPL-1.1.html
 *
 * == END LICENSE ==
 *
 * Test page for the "File Uploaders".
-->
<html>
<head>
<title>FCKeditor - Uploaders Tests</title>
<script language="javascript">

function SendFile()
{
var sUploaderUrl = cmbUploaderUrl.value ;

if ( sUploaderUrl.length == 0 )
sUploaderUrl = txtCustomUrl.value ;

if ( sUploaderUrl.length == 0 )
{
alert( 'Please provide your custom URL or select a default one' ) ;
return ;
}

eURL.innerHTML = sUploaderUrl ;
txtUrl.value = '' ;

frmUpload.action = sUploaderUrl ;
frmUpload.submit() ;
}

function OnUploadCompleted( errorNumber, fileUrl, fileName, customMsg )
{
switch ( errorNumber )
{
case 0 :// No errors
txtUrl.value = fileUrl ;
alert( 'File uploaded with no errors' ) ;
break ;
case 1 :// Custom error
alert( customMsg ) ;
break ;
case 10 :// Custom warning
txtUrl.value = fileUrl ;
alert( customMsg ) ;
break ;
case 201 :
txtUrl.value = fileUrl ;
alert( 'A file with the same name is already available. The uploaded file has been renamed to "' + fileName + '"' ) ;
break ;
case 202 :
alert( 'Invalid file' ) ;
break ;
case 203 :
alert( "Security error. You probably don't have enough permissions to upload. Please check your server." ) ;
break ;
default :
alert( 'Error on file upload. Error number: ' + errorNumber ) ;
break ;
}
}

</script>
</head>
<body>
<table cellSpacing="0" cellPadding="0" width="100%" border="0" height="100%">
<tr>
<td>
<table cellSpacing="0" cellPadding="0" width="100%" border="0">
<tr>
<td nowrap>
Select the "File Uploader" to use:<br>
<select id="cmbUploaderUrl">
<option selected value="asp/upload.asp">ASP</option>
<option value="aspx/upload.aspx">ASP.Net</option>
<option value="cfm/upload.cfm">ColdFusion</option>
<option value="lasso/upload.lasso">Lasso</option>
<option value="php/upload.php">PHP</option>
<option value="">(Custom)</option>
</select>
</td>
<td nowrap>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
<td width="100%">
Custom Uploader URL:<BR>
<input id="txtCustomUrl" style="WIDTH: 100%; BACKGROUND-COLOR: #dcdcdc" disabled type="text">
</td>
</tr>
</table>
<br>
<table cellSpacing="0" cellPadding="0" width="100%" border="0">
<tr>
<td noWrap>
<form id="frmUpload" target="UploadWindow" enctype="multipart/form-data" action="" method="post">
Upload a new file:<br>
<input type="file" name="NewFile"><br>
<input type="button" value="Send it to the Server" onclick="SendFile();">
</form>
</td>
<td style="WIDTH: 16px">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</td>
<td vAlign="top" width="100%">
Uploaded File URL:<br>
<INPUT id="txtUrl" style="WIDTH: 100%" readonly type="text">
</td>
</tr>
</table>
<br>
Post URL: <span id="eURL">&nbsp;</span>
</td>
</tr>
<tr>
<td height="100%">
<iframe name="UploadWindow" width="100%" height="100%" src="javascript:void(0)"></iframe>
</td>
</tr>
</table>
</body>
</html>

###########################################################################################################

# Example Vulnerable Sites =>

[+] dionysusrecords.com/main/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html

[+] dfrere.fr/Blog01/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html

[+] mark.langkau.org/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html

[+] tonyaquino.com/wp-content/plugins/monsters-editor-10-for-wp-super-edit/mse/fckeditor/editor/filemanager/upload/test.html

###########################################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###########################################################################################################

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum