module
Wordpress Plugin Modern Events Calendar - Authenticated Remote Code Execution
| Disclosed | Created |
|---|---|
| Jan 29, 2021 | Jul 26, 2021 |
Disclosed
Jan 29, 2021
Created
Jul 26, 2021
Description
This module allows an attacker with a privileged Wordpress account to launch a reverse shell
due to an arbitrary file upload vulnerability in Wordpress plugin Modern Events Calendar
This is due to an incorrect check of the uploaded file extension.
Indeed, by using `text/csv` content-type in a request, it is possible to upload a .php payload as is is not forbidden by the plugin.
Finally, the uploaded payload can be triggered by a call to `/wp-content/uploads/.php`
due to an arbitrary file upload vulnerability in Wordpress plugin Modern Events Calendar
This is due to an incorrect check of the uploaded file extension.
Indeed, by using `text/csv` content-type in a request, it is possible to upload a .php payload as is is not forbidden by the plugin.
Finally, the uploaded payload can be triggered by a call to `/wp-content/uploads/.php`
Authors
Nguyen Van Khanh
Ron Jost
Yann Castel (yann.castel Yann Castel (yann.castel@orange.com)
Ron Jost
Yann Castel (yann.castel Yann Castel (yann.castel@orange.com)
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.