Gallery – Flagallery Photo Portfolio [CSRF → File Upload]
Gallery – Flagallery Photo Portfolio WordPress plugin suffers from a CSRF vulnerability that could lead to arbitrary file uploads.
Plugin implements the AJAX action
flag_banner_crunch which calls the function
flag_banner_crunch. This function doesn’t take any anti-CSRF measures thus making it susceptible to those kind of attacks.
Function will copy a file defined in the
$_POST['path'] param. A malicious actor can leverage the CSRF vulnerability to copy arbitrary files on the infected server from a remote or local origin.
Note that uploads are limited to allowed filetypes by default. Even so if the tricked user has the
unfiltered_uploads capability then those restrictions won’t apply.
<form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php"> <input type="hidden" name="action" value="flag_banner_crunch"> <input type="text" name="path" value="http://wp-plugin-csrf.dev/mal.html"> <button type="submit" value="Submit">Submit</button> </form>
Vendor notified through contact form on codeasily.com
Vendor received details