Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-12077 PoC — WordPress mappress-google-maps-for-wordpress 代码问题漏洞

Source
https://github.com/RandomRobbieBF/CVE-2020-12077
Associated Vulnerability
Title:WordPress mappress-google-maps-for-wordpress 代码问题漏洞 (CVE-2020-12077)
Description:The mappress-google-maps-for-wordpress plugin before 2.53.9 for WordPress does not correctly implement AJAX functions with nonces (or capability checks), leading to remote code execution.
Description
MapPress Maps Pro < 2.53.9 - Remote Code Execution (RCE) due to Incorrect Access Control in AJAX Actions
Readme
# CVE-2020-12077
MapPress Maps Pro &lt; 2.53.9 - Remote Code Execution (RCE) due to Incorrect Access Control in AJAX Actions

### Description

The pro version of this plugin registers several AJAX actions that call functions which lack capability checks and nonce checks, specifically the ‘ajax_get’, ‘ajax_save’, and ‘ajax_delete’ functions in mappress_template.php. As such, it is possible for a logged-in attacker with minimal permissions, such as a subscriber, to perform the following actions:
Upload an executable PHP file (including potential backdoors) and achieve Remote Code Execution by sending a $_POST request to wp-admin/admin-ajax.php with the ‘action’ parameter set to ‘mapp_tpl_save’, the ‘name’ parameter set to the base name of the file they want to create, and the ‘content’ parameter set to executable PHP code. This file would then be created in and could be executed from the directory of the currently active theme.

Delete any existing PHP file on the site (such as wp-config.php) by sending a $_POST request to wp-admin/admin-ajax.php with the ‘action’ parameter’ set to ‘mapp_tpl_delete’, and the ‘name’ parameter set to the basename of the file to delete. For example, to delete wp-config.php a directory traversal attack could be used, and the ‘name’ parameter could be set to ‘../../../wp-config’). This would cause the site to be reset, at which point an attacker could gain full control of the site.

View the contents of any existing PHP file on the site (such as wp-config.php) by sending a $_GET request to wp-admin/admin-ajax.php with the ‘action’ parameter set to ‘mapp_tpl_get’, and the ‘name’ parameter of the file to disclose. For example, to view the contents of wp-config.php, a directory traversal attack could be used, and the ‘name’ parameter could be set to’../../../../wp-config’.


POC
---
```
python3 exploit.py --url http://wordpress.lan --username user --password useruser1 --code "<?php phpinfo(); ?>"
```
File Snapshot

 [4.0K]  /data/pocs/d21b22f130c125f98d29b955fcab9ce8766a22bd
├── [1.5K]  exploit.py
└── [2.0K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →