WordPress MiwoFTP Plugin 1.0.5 CSRF Arbitrary File Creation Exploit (RCE) Vendor: Miwisoft LLC Product web page: http://www.miwisoft.com Affected version: 1.0.5 Summary: MiwoFTP is a smart, fast and lightweight file manager plugin that operates from the back-end of WordPress. Desc: MiwoFTP WP Plugin suffers from a cross-site request forgery remote code execution vulnerability. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions like executing arbitrary PHP code by uploading a malicious PHP script file, with administrative privileges, if a logged-in user visits a malicious web site. Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5242 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5242.php Vendor: http://miwisoft.com/wordpress-plugins/miwoftp-wordpress-file-manager#changelog 24.03.2015 -- RCE CSRF PoC for masqueraded payload for admin view when editing: Logic error: When admin clicks on malicious link the plugin will: 1. Search existing file for edit: action=edit&dir=/&item=wp-comments-post.php. 2. In the root folder of WP, file wp-comments.php is created. 3. Payload is an excerpt from wp-comments-post.php without ' is inserted. 5. Admin is presented with interface of editing wp-comments.php with contents from wp-comments-post.php. 6. After that, no matter what admin clicks (CSRF) (Save, Reset or Close), backdoor file is created (wp-comments.php). 7. Attacker executes code, ex: http://localhost/wordpress/wp-comments.php?c=whoami --- http://localhost/wordpress/wp-comments.php?c=whoami