WordPress Plugin WP Super Edit 文件上传漏洞

漏洞信息

漏洞名称： WordPress Plugin WP Super Edit 文件上传漏洞

漏洞类型： 文件上传

漏洞等级： 高危

漏洞描述： ### 受影响产品
WordPress插件WP Super Edit是一款用于增强WordPress编辑器功能的插件，广泛应用于需要富文本编辑支持的WordPress网站中。该插件通过集成FCKeditor等编辑器，提供了文件上传和管理功能，适用于各类内容管理系统（CMS）的部署场景。由于其功能的便利性，该插件在WordPress社区中有一定的用户基础。

漏洞说明

该漏洞属于文件上传类型，具体原因是插件中集成的FCKeditor组件未能对上传的文件类型进行严格验证，导致攻击者可以上传恶意文件。这种漏洞的根源在于缺乏对上传文件类型的有效过滤和验证机制，使得攻击者能够上传可执行脚本或其他危险类型的文件。一旦这些文件被上传并存储在服务器上，攻击者便可能通过直接访问这些文件来执行任意代码，进而控制整个网站或服务器。

影响分析

此漏洞的安全风险极高，因为它允许攻击者无需任何身份验证即可上传恶意文件，进而可能导致服务器被完全控制。攻击者可以利用此漏洞进行多种恶意活动，包括但不限于网站篡改、数据泄露、服务中断，甚至是对服务器内其他系统的攻击。由于漏洞的利用门槛较低，且存在公开的利用代码（如Exploit DB中的记录），这使得该漏洞极易被自动化工具或脚本小子利用，对受影响网站构成严重威胁。

产品厂商： WordPress

产品名称： WP Super Edit

影响版本： 2.5.4

来源： https://github.com/projectdiscovery/nuclei-templates/issues/12710

类型： projectdiscovery/nuclei-templates:github issues

来源概述

Is there an existing template for this?

• I have searched the existing templates.

Nuclei Template

id: wordpress-wp-super-edit-file-upload

info:
  name: WordPress WP Super Edit File Upload
  author: 0xr2r
  severity: high
  description: |
    WordPress Plugin "wp-super-edit" allows attackers to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This vulnerability is caused by FCKeditor in this plugin.
  tags: wordpress, file-upload
  reference:
    - https://wordpress.org/plugins/wp-super-edit/
    - https://www.exploit-db.com/exploits/49839
    - 

http:
  - raw:
      - |
        GET /wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/browser.html HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: body
        words:
          - "FCKeditor"
          - "File Upload"
      - type: word
        part: header
        words:
          - "text/html"

Relevant dumped responses

#### Note:

## 1. Technical Description:
This plugin allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored. 

## 2. Technical Description:
WordPress Plugin "wp-super-edit" allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This vulnerability is caused by FCKeditor in this plugin. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.

#### POC:

* Exploit 1 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/browser.html

Anything else?

No response