WordPress Responsive Thumbnail Slider 1.0 - Authenticated Shell Upload & CSRF



Description
The original advisory states that this vulnerability is exploitable with editor and author roles but this is incorrect. Only the administrator role by default can trigger this vulnerability.

However, CSRF on the image upload form makes this exploitable by a malicious actor.
Proof of Concept
Create a file names shell.php.jpg with PHP.
Intercept the request and change the file name to shell.php.
File was uploaded to http://www.example.com/wp-content/uploads/wp-responsive-images-thumbnail-slider/96b64029012ad7ca3a368fba667938cd.php

Affects Plugin

References

URL http://cxsecurity.com/issue/WLB-2015080170

Classification

Type MULTI

Miscellaneous

Submitter firefart
Submitter Website https://firefart.at/
Submitter Twitter _FireFart_
Views 4747
Verified Yes
WPVDB ID 8171

Timeline

Publicly Published 2015-08-31 (almost 4 years ago)
Added 2015-09-02 (almost 4 years ago)
Last Updated 2015-09-02 (almost 4 years ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin