WordPress Plugin WP Super Edit 文件上传漏洞

漏洞信息

漏洞名称： WordPress Plugin WP Super Edit 文件上传漏洞

漏洞类型： 文件上传

漏洞等级： 高危

漏洞描述： WordPress插件WP Super Edit 2.5.4版本中存在一个文件上传漏洞，该漏洞允许攻击者上传或传输危险类型的文件，这些文件可以在产品的环境中自动处理。此漏洞由该插件中的FCKeditor引起。上传的文件对应用程序构成重大风险，因为许多攻击的第一步是向目标系统注入代码，然后攻击者只需找到执行代码的方法。利用文件上传功能，攻击者可以轻松完成第一步。无限制的文件上传后果可能包括完全系统接管、过载的文件系统或数据库、将攻击转发到后端系统、客户端攻击或简单的污损。具体影响取决于应用程序如何处理上传的文件，尤其是文件的存储位置。该漏洞的利用可能导致严重的安全问题，包括远程代码执行和数据泄露，且无需认证即可被利用，增加了自动攻击的风险。

产品厂商： WordPress

产品名称： WP Super Edit

影响版本： 2.5.4

来源： https://github.com/projectdiscovery/nuclei-templates/issues/12709

类型： projectdiscovery/nuclei-templates:github issues

来源概述

Is there an existing template for this?

• I have searched the existing templates.

Nuclei Template

''

id: wordpress-wp-super-edit-file-upload

info:
  name: WordPress WP Super Edit File Upload
  author: 0xr2r
  severity: high
  description: |
    WordPress Plugin "wp-super-edit" allows attackers to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This vulnerability is caused by FCKeditor in this plugin.
  tags: wordpress, file-upload
  reference:
    - https://wordpress.org/plugins/wp-super-edit/
    - https://www.exploit-db.com/exploits/49839
    - 

http:
  - raw:
      - |
        GET /wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/browser.html HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200
      - type: word
        part: body
        words:
          - "FCKeditor"
          - "File Upload"
      - type: word
        part: header
        words:
          - "text/html"
''

Relevant dumped responses

#### Note:

## 1. Technical Description:
This plugin allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step.The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored. 

## 2. Technical Description:
WordPress Plugin "wp-super-edit" allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. This vulnerability is caused by FCKeditor in this plugin. Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker accomplish the first step. The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.

#### POC:

* Exploit 1 : site.com/wp-content/plugins/wp-super-edit/superedit/tinymce_plugins/mse/fckeditor/editor/filemanager/browser/default/browser.html

Anything else?

No response