Securin Zero-Days

Visit the following page on a site with this plugin installed in the following URL http://yourwordpresssite.com/wordpress/wp-admin/post-new.php?post_type=wpsc-product which CVE-2015-9228 is vulnerable to file upload in file and name variable from which name variable extension is modified from JPG to PHP and file variable containing image content/information is semi-modified with PHP shell to be executed in the server which can be accessed with the help of publicly available URL. here, it is http://yourwordpresssite.com/wordpress/wp-content/gallery/xss/T.php?i=1523488308

Issue 1:

The Post request file and name variable in the URL http://yourwordpresssite.com/wordpress/wp-admin/post-new.php?post_type=wpsc-product is vulnerable to file upload. In which name variable extension is modified from JPG to PHP and file variable is added with PHP shell to be executed in the server which can be accessed with the help of publicly available URL http://yourwordpresssite.com/wordpress/wp-content/gallery/xss/T.php?i=1523488308

Figure 1: Normal request to the server

Figure 2: File variable modified from JPG to PHP

Figure 03: Mixing the content of the uploading file with shell content to get executed

Figure 4: Showing that file has been uploaded as image into the server

Figure 5: Originally, file have been stored in PHP format which can be executed from outside login

Figure 6: Shell Execution giving system information of the hosted server.