WordPress HT-Poi Plugins 2.9 Unauthorized File Insertation

1. ####################################################################
2.  
3. # Exploit Title : WordPress HT-Poi Plugins 2.9 Unauthorized File Insertation
4. # Author [ Discovered By ] : KingSkrupellos
5. # Team : Cyberizm Digital Security Army
6. # Date : 06/03/2019
7. # Vendor Homepage : wordpress.org
8. # Software Download Link : wordpress.org/plugins/ht-poi/
9. # Software Affected Version : 2.8 - 2.9
10. # Software Developer : Ipstenu (Mika Epstein)
11. # Solution : Upgrade/Update to 3.0
12. # Tested On : Windows and Linux
13. # Category : WebApps
14. # Exploit Risk : Medium
15. # Vulnerability Type : CWE-264 - [ Permissions, Privileges, and Access Controls ]
16. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
17. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
18. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
19.  
20. ####################################################################
21.  
22. # Information about Software :
23. ***************************
24. “HT Poi” is open source software for WordPress.
25.  
26. ####################################################################
27.  
28. # Impact :
29. ***********
30. WordPress HT-Poi Plugins 2.9 and previous versions is prone to an arbitrary file upload vulnerability.
31.  
32. An attacker may leverage this issue to upload arbitrary files to the affected computer;
33.  
34. this can result in arbitrary code execution within the context of the vulnerable application.
35.  
36. Weaknesses in this category are related to the management of permissions,
37.  
38. privileges, and other security features that are used to perform access control.
39.  
40. ####################################################################
41.  
42. # Vulnerable Source Code :
43. ************************
44. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
45. <html xmlns="http://www.w3.org/1999/xhtml">
46. <head>
47. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
48. <title>File Upload</title>
49. <link rel="stylesheet" type="text/css" href="CSS/poi.css" />
50. <body>
51. <div id="uploads_cont">
52. <h1 style="font-size:20px;">Images: </h1>
53. <table>
54. <tr>
55. <td colspan="4">
56. <input type="file" style="background-color:#FFF; border:1px solid #CCC;" /> <input type="text" name="title" style="background-color:#FFF; border:1px solid #CCC;" /> <input type="submit" name="subImage" value="Upload Image" style="background-color:#FFF; border:1px solid #CCC;" />
57. </td>
58. </tr>
59. <tr>
60. <th class="title" style="width:258px; text-align:left;"> Title </th>
61. <th class="title" style="width:258px; text-align:left;"> Url </th>
62. <th class="title" style="text-align:left;"> Image </th>
63. <th class="title"> </th>
64. </tr>
65. <tr class="image_seperator">
66. <td colspan="3"> </td>
67. </tr>
68. <tr>
69. </tr>
70. </table>
71. </div>
72. </body>
73. </html>
74.  
75. ####################################################################
76.  
77. # Arbitrary File Upload Exploit :
78. *****************************
79. /wp-content/plugins/HT-Poi/file_upload.php
80.  
81. ####################################################################
82.  
83. # Example Vulnerable Site :
84. *************************
85. [+] hotelpanorama-aegina.gr/wp-content/plugins/HT-Poi/file_upload.php
86.  
87. ####################################################################
88.  
89. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
90.  
91. ####################################################################