PoC Script for CVE-2023-4596, unauthenticated Remote Command Execution through arbitrary file uploads.

Video of PoC being used
Nuclei Template
News article
WordFence
NVD Nist

A critical vulnerability has been discovered in the wordpress plugin Forminator, which enables an unauthorized attacker to upload arbitrary files to an server. The initial proof of concept (PoC) was poorly written, the original researcher shared a few unclear screenshots along with a request containing unexplained code. So i wrote a python script to simplify and automate the process.

The vulnerability is caused by an error in the validation process for file types. When attempting to upload a prohibited file format, such as PHP, an alert is generated stating that the "Uploaded file's extension is not allowed." Despite this notification, the uploaded file is not blocked but rather, it is successfully uploaded and can be accessed within the "/wp-content/uploads" folder of the site. This vulnerability can lead to remote code execution.

Forminator is currently active on more than 400,000 sites, and with the simplicity of the vulnerability, it is quite easy to gain control over any site running Forminator with file upload enabled.

Find a page running Forminator <= 1.24.6 with an upload function on the page. Copy the full URL and generate an interactsh link. After a succesful upload, a request should appear in interactsh within 5 seconds, indicating it is vulnerable. The code can be easily modified to get code execution, but to prevent people from misusing the PoC, I've only made an intrusive way to confirm a vulnerable instance.

user@debian:~$ python3 exploit.py -u http://127.0.0.1:8000/?p=7

______                   _             _              ______  _____  _____
|  ___|                 (_)           | |             | ___ \/  __ \|  ___|
| |_ ___  _ __ _ __ ___  _ _ __   __ _| |_ ___  _ __  | |_/ /| /  \/| |__
|  _/ _ \| '__| '_ ` _ \| | '_ \ / _` | __/ _ \| '__| |    / | |    |  __|
| || (_) | |  | | | | | | | | | | (_| | || (_) | |    | |\ \ | \__/\| |___
\_| \___/|_|  |_| |_| |_|_|_| |_|\__,_|\__\___/|_|    \_| \_| \____/\____/


Input interactsh link: <input interactsh link>

[+] Sending payload to target
[+] Successful file upload!

Uploaded File Location: http://127.0.0.1:8000/wp-content/uploads/2023/08/QotTkAFBsf.php

[+] Sending request to uploaded file...
[+] Successfully triggered the uploaded file!
[+] Check Interactsh for an incoming request.

user@debian:~$ python3 exploit.py -u http://127.0.0.1:8000/?p=7 -v

______                   _             _              ______  _____  _____
|  ___|                 (_)           | |             | ___ \/  __ \|  ___|
| |_ ___  _ __ _ __ ___  _ _ __   __ _| |_ ___  _ __  | |_/ /| /  \/| |__
|  _/ _ \| '__| '_ ` _ \| | '_ \ / _` | __/ _ \| '__| |    / | |    |  __|
| || (_) | |  | | | | | | | | | | (_| | || (_) | |    | |\ \ | \__/\| |___
\_| \___/|_|  |_| |_| |_|_|_| |_|\__,_|\__\___/|_|    \_| \_| \____/\____/


[+] Vulnerable version found: 1.24.6

The script only needs a full URL of a page that is using Forminator with file uploads enabled and an interactsh link to determine if the instance is vulnerable. The first request is sent to the page to extract the forminator_nonce and form_id which are values that are different for every page. After retrieving these values, a second request is sent out that uses these extracted values, and the PHP file is uploaded. This PHP file uses the interactsh link that was provided earlier by the user and adds it to the script. When the page is visited where the PHP script is located, a request will show up in interactsh showing that the site is vulnerable. Regex is used for splitting the URL into parts that are used later in the request, it is also used to determine the version of Forminator that is printed when using the -v argument. The location where the file is uploaded depends on what year and months you upload the file, that is why I used datetime to determine the current months and year, which is also used later to send the request to the uploaded file location. When testing the vulnerability, I was using a single filename, but after sending multiple files, i noticed only the first uploaded file would start. To fix that, a random string is used for every request.

I've included two files (checker.sh and checker.bat) in the repo that check the current folder and subfolders for any files with a blocked extension. When these are found, they will be displayed. The reason for this script is that for every month the plugin has been installed, a new folder is created, which can take a lot of work to manually check all of them.

Update to the latest version

1. cd CVE-2023-4596/ && docker-compose up -d
2. Browse to http://127.0.0.1:8000
3. Set up a wp account and download the vulnerable plugin found here
4. Create a form with postdata or a file upload and publish it to a post
5. Enjoy ( /・・)ノ

The script provided is for educational purposes only, I am not responsible for your actions.