Advertisement






WordPress nlh_omp-v1 Themes 1.0 Unauthorized File Insertation

CVE Category Price Severity
Not specified CWE-264 Not specified High
Author Risk Exploitation Type Date
Not specified High Remote 2019-03-06
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0 0

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019030052

Below is a copy:

WordPress nlh_omp-v1 Themes 1.0 Unauthorized File Insertation
####################################################################

# Exploit Title : WordPress nlh_omp-v1 Themes 1.0 Unauthorized File Insertation
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 06/03/2019
# Vendor Homepage : wordpress.org ~ nlh.gr
# Software Information Link : wordpress.org/themes/nlh_omp-v1/
# Software Affected Version : 1.0
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Impact :
***********
WordPress nlh_omp-v1 Themes 1.0 is prone to an arbitrary file upload vulnerability.  

An attacker may leverage this issue to upload arbitrary files to the affected computer; 

this can result in arbitrary code execution within the context of the vulnerable application. 

Weaknesses in this category are related to the management of permissions, 

privileges, and other security features that are used to perform access control.

####################################################################

# Exploit :
*********
/wp-content/themes/nlh_omp-v1/inc/moments_form.php

# Directory File Path :
********************
/wp-content/uploads/[YEAR]/[MONTH/.....

####################################################################

# Vulnerable Source Code :
*************************
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Moments Upload form</title>
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,300,500,700,900&subset=latin,greek' rel='stylesheet' type='text/css'>
<link href='https://fonts.googleapis.com/css?family=Roboto+Slab:400,700,300,100&subset=latin,greek' rel='stylesheet' type='text/css'>
<link href='https://nlh.gr/wp-content/themes/nlh_omp-v1/fontawesome/css/font-awesome.min.css' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="https://nlh.gr/wp-content/themes/nlh_omp-v1/style.css" type="text/css">
<link rel="stylesheet" href="https://nlh.gr/wp-content/themes/nlh_omp-v1/responcive_style.css" type="text/css">
<script src="https://nlh.gr/wp-content/themes/nlh_omp-v1/js/ui/jquery-ui.min.js"></script>
</head>
<body id="moments_body">
<form id="media_upload_form" enctype="multipart/form-data">
<div class="spinner" id="image_loader"><div class="bounce1"></div><div class="bounce2"></div><div class="bounce3"></div></div>
<div id="image_placeholder">
<label for="user_file" class="btn_view">Select a photo</label>
<input type="file" name="user_file" id="user_file">
<small>*You can upload jpg or png files with maximum file size 2MB.</small>
</div>
<span id="thx_mesage"><strong>Thank you very much!</strong> <br>Your image will be published soon.</span>
<input type="hidden" id="image_id" name="image_id" value="">
<input type="email" id="photo_file_email" name="visitor_email" placeholder="Your email" required>
<input type="text" id="photo_file_title" name="item_title" placeholder="Add Title" required>
<textarea id="photo_file_desc" name="item_desc" placeholder="Add Description"></textarea>
<span class="form_upload_btn" id="form_upload_btn" style="display: none;" onClick="add_gallery();">Save</span>
</form>
<script src="https://nlh.gr/wp-content/themes/nlh_omp-v1/js/simpleUpload.min.js"></script>
<script>
jQuery(function(){
jQuery('#user_file').simpleUpload({
url: 'https://nlh.gr/wp-content/themes/nlh_omp-v1/inc/etc_tools.php',
types: ['jpg', 'png','Jpg','Png','JPG','PNG'],
size: 2072,
fields: {
type: 'user_file',
},
beforeSend:function(files){
jQuery('#image_placeholder').empty();
jQuery('#image_loader').show();
},
change:function(files){
jQuery.each(files, function(i, file){
console.log(file);
jQuery('#image_loader').show();
});
},
success:function(data){
console.log(data);
var obj = jQuery.parseJSON(data);
image_url = obj['url'];
image_id = obj['image_id'];
jQuery("#image_id").val(image_id);
jQuery('#image_loader').hide();
jQuery('#form_upload_btn').show();
jQuery('#image_placeholder').html('<span><img src="'+image_url+'"/></span>');
}
});
});
function add_gallery(){
post_title = jQuery("#photo_file_title").val();
visitor_email = jQuery("#photo_file_email").val();
post_content= jQuery("#photo_file_desc").val();
post_image_id= jQuery("#image_id").val();
jQuery.post("https://nlh.gr/wp-content/themes/nlh_omp-v1/inc/etc_tools.php",{
action : 'add_moment',
post_title : post_title,
visitor_email : visitor_email,
post_content : post_content,
post_image_id : post_image_id
}).done(function(data) {
console.log(data);
if (data == 'OK'){
jQuery("#photo_file_email").remove();
jQuery("#photo_file_title").remove();
jQuery("#photo_file_desc").remove();
jQuery(".form_upload_btn").remove();
jQuery("#thx_mesage").show();
setInterval(function(){
parent.$.fancybox.close();
}, 5000);
}
}
);
}
</script>
</body>
</html>

####################################################################

# Example Vulnerable Sites :
*************************
[+] nlh.gr/wp-content/themes/nlh_omp-v1/inc/moments_form.php

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

####################################################################

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.