WordPress: a serious vulnerability in the data export module and RCE in Windows

If you once installed the module "Export Users to CSV" to CMS Wordpress, thanks to which you could export data about users, now you must uninstall this plugin, which is vulnerable to remote exile code with administrator privileges. According to the assessment based on the international standard CVSS (Common Vulnerability Scoring System) risk assessment / seriousness / priority of the threat, the vulnerability gained as much as 8.8 points out of 10 possible.

There is no update yet, but it is ready for exploit, fully equipped, added to the Exploit Database and allowing you to quickly import into Metasploit - a tool used for penetration tests and for real attacks.

The vulnerability is in the "Export Users to CSV" module in current version 1.1.1 and earlier. An authenticated attacker with the rights of an ordinary user can save in any field in the profile edition the code, which after logging in to the administrator and downloading the CSV sheet will launch any command in the operating system from which the administrator logged - and with current permissions.

# 3. Proof Of Concept (PoC):
# Enter the payload =SUM(1+1)*cmd|' /C calc'!A0 in any field of the profile, for example, in biography.
# When the user with high privileges logs in to the application, export data in CSV and opens the
# generated file, the command is executed and the calculator will run open on the machine.

# 4. Payloads:
=SUM(1+1)*cmd|' /C calc'!A0
+SUM(1+1)*cmd|' /C calc'!A0
-SUM(1+1)*cmd|' /C calc'!A0
@SUM(1+1)*cmd|' /C calc'!A0

Although the ready exploit includes the launch of the calculator, modifying the code will not be difficult. The attack can be used for more difficult tasks, such as a computer infection with malware - of any kind. The easiest way to do this is through system interpreter - for this and similar circumstances we have prepared a practical guide for computer protection .

If the attacker manages to infect the operating system by using a vulnerability in the Wordpress module, he or she will have a lot of room for maneuver. The best recommendation is to temporarily disable the module until the update appears.



Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.