WordPress nlh_omp-v1 Themes 1.0 Unauthorized File Upload

####################################################################

# Exploit Title : WordPress nlh_omp-v1 Themes 1.0 Unauthorized File Insertation Vulnerability
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 06/03/2019
# Vendor Homepage : wordpress.org ~ nlh.gr
# Software Information Link : wordpress.org/themes/nlh_omp-v1/
# Software Affected Version : 1.0
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

####################################################################

# Impact :
***********
WordPress nlh_omp-v1 Themes 1.0 is prone to an arbitrary file upload vulnerability.

An attacker may leverage this issue to upload arbitrary files to the affected computer;

this can result in arbitrary code execution within the context of the vulnerable application.

Weaknesses in this category are related to the management of permissions,

privileges, and other security features that are used to perform access control.

####################################################################

# Exploit :
*********
/wp-content/themes/nlh_omp-v1/inc/moments_form.php

# Directory File Path :
********************
/wp-content/uploads/[YEAR]/[MONTH/.....

####################################################################

# Vulnerable Source Code :
*************************
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Moments Upload form</title>
<link href='https://fonts.googleapis.com/css?family=Roboto:400,100,300,500,700,900&subset=latin,greek' rel='stylesheet' type='text/css'>
<link href='https://fonts.googleapis.com/css?family=Roboto+Slab:400,700,300,100&subset=latin,greek' rel='stylesheet' type='text/css'>
<link href='https://nlh.gr/wp-content/themes/nlh_omp-v1/fontawesome/css/font-awesome.min.css' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="https://nlh.gr/wp-content/themes/nlh_omp-v1/style.css" type="text/css">
<link rel="stylesheet" href="https://nlh.gr/wp-content/themes/nlh_omp-v1/responcive_style.css" type="text/css">
<script src="https://nlh.gr/wp-content/themes/nlh_omp-v1/js/ui/jquery-ui.min.js"></script>
</head>
<body id="moments_body">
<form id="media_upload_form" enctype="multipart/form-data">
<div class="spinner" id="image_loader"><div class="bounce1"></div><div class="bounce2"></div><div class="bounce3"></div></div>
<div id="image_placeholder">
<label for="user_file" class="btn_view">Select a photo</label>
<input type="file" name="user_file" id="user_file">
<small>*You can upload jpg or png files with maximum file size 2MB.</small>
</div>
<span id="thx_mesage"><strong>Thank you very much!</strong> <br>Your image will be published soon.</span>
<input type="hidden" id="image_id" name="image_id" value="">
<input type="email" id="photo_file_email" name="visitor_email" placeholder="Your email" required>
<input type="text" id="photo_file_title" name="item_title" placeholder="Add Title" required>
<textarea id="photo_file_desc" name="item_desc" placeholder="Add Description"></textarea>
<span class="form_upload_btn" id="form_upload_btn" style="display: none;" onClick="add_gallery();">Save</span>
</form>
<script src="https://nlh.gr/wp-content/themes/nlh_omp-v1/js/simpleUpload.min.js"></script>
<script>
		jQuery(function(){
			jQuery('#user_file').simpleUpload({
				url: 'https://nlh.gr/wp-content/themes/nlh_omp-v1/inc/etc_tools.php',
				types: ['jpg', 'png','Jpg','Png','JPG','PNG'],
				size: 2072,
				fields: {
					type	: 'user_file',
				},
				beforeSend	:	function(files){
					jQuery('#image_placeholder').empty();
					jQuery('#image_loader').show();
				},
				change	:	function(files){
					jQuery.each(files, function(i, file){
						console.log(file);
						jQuery('#image_loader').show();
					});
				},
				success	:	function(data){
					console.log(data);
					var obj 	= jQuery.parseJSON(data);
					image_url 	= obj['url'];
					image_id 	= obj['image_id'];
					jQuery("#image_id").val(image_id);
					jQuery('#image_loader').hide();
					jQuery('#form_upload_btn').show();
					jQuery('#image_placeholder').html('<span><img src="'+image_url+'"/></span>');
				}
			});
		});
		function add_gallery(){
			post_title 		= jQuery("#photo_file_title").val();
			visitor_email 	= jQuery("#photo_file_email").val();
			post_content	= jQuery("#photo_file_desc").val();
			post_image_id	= jQuery("#image_id").val();
			jQuery.post("https://nlh.gr/wp-content/themes/nlh_omp-v1/inc/etc_tools.php",{
				action : 'add_moment',
				post_title : post_title,
				visitor_email : visitor_email,
				post_content : post_content,
				post_image_id : post_image_id
				}).done(function(data) {
					console.log(data);
					if (data == 'OK'){
						jQuery("#photo_file_email").remove();
						jQuery("#photo_file_title").remove();
						jQuery("#photo_file_desc").remove();
						jQuery(".form_upload_btn").remove();
						jQuery("#thx_mesage").show();
						setInterval(function(){
						parent.$.fancybox.close();
						}, 5000);
					}
				}
			);
		}
		</script>
</body>
</html>

####################################################################

# Example Vulnerable Sites :
*************************
[+] nlh.gr/wp-content/themes/nlh_omp-v1/inc/moments_form.php

####################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

####################################################################