CVE-2014-5460
published 2014-09-11CVE-2014-5460: Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute…
PriorityP264medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
70.89%
99.3th percentile
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tribulant | tibulant_slideshow_gallery | <= 1.4.6 | — |
| tribulant | tibulant_slideshow_gallery | — | — |
| tribulant | tibulant_slideshow_gallery | — | — |
| tribulant | tibulant_slideshow_gallery | — | — |
| tribulant | tibulant_slideshow_gallery | — | — |
| tribulant | tibulant_slideshow_gallery | — | — |
| tribulant | tibulant_slideshow_gallery | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-admin/admin.php?page=slideshow-slides&Galleryupdated=true&Gallerymessage=Slide+has+been+saved↗
commandweevely http://VICTIM/wordpress/wp-content/uploads/slideshow-gallery/backdoor.php whitexploit↗
- →Detect POST requests to the slideshow plugin save endpoint with a multipart upload containing a PHP file — the plugin does not restrict file types unlike the WordPress API. ↗
- →Alert on any PHP file appearing under the path wp-content/uploads/slideshow-gallery/ — this directory is the fixed drop location for uploaded webshells. ↗
- →Flag multipart POST requests to admin.php?page=slideshow-slides&method=save where the uploaded filename has a .php extension in the Content-Disposition header. ↗
- →The exploit uses a distinctive multipart boundary string; detect it in HTTP request bodies as a signature of the Python PoC tool. ↗
- →Monitor for successful upload confirmation response containing the Galleryupdated=true parameter, indicating a slide (and potentially a shell) was saved. ↗
- ·Exploitation requires the attacker to be authenticated; any registered WordPress role (Administrator, Editor, Author, Contributor, Subscriber) is sufficient — not just admins. ↗
- ·The vulnerability is fixed in Slideshow Gallery version 1.4.7; detections targeting the upload endpoint are only relevant on sites running version 1.4.6 or earlier. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload
exploitdb·2014-09-16·CVSS 6.5
CVE-2014-5460 [MEDIUM] WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload
WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload
---
#!/usr/bin/env python
#
# WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit
#
# WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability (CVE-2014-5460)
#
# Vulnerability discovered by: Jesus Ramirez Pichardo - http://whitexploit.blogspot.mx/
#
# Exploit written by: Claudio Viviani - [email protected] - http://www.homelab.it
#
#
# Disclaimer:
#
# This exploit is intended for educational purposes only and the author
# can not be held liable for any kind of damages done whatsoever to your machine,
# or damages caused by some other,creative application of this exploit.
# In any case you disagree with the above statement,stop here.
#
#
# Requirements:
#
# 1) Enabled user managemen
Exploit-DB
WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload
exploitdb·2014-09-01
CVE-2014-5460 WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload
WordPress Plugin Slideshow Gallery 1.4.6 - Arbitrary File Upload
---
Summary: WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability.
Found by: Jesus Ramirez Pichardo
@whitexploit
http://whitexploit.blogspot.mx/
Date: 2014-08-28
Vendor Homepage: http://tribulant.com/
Software: Slideshow Gallery
Version: 1.4.6
Software Link: http://downloads.wordpress.org/plugin/slideshow-gallery.1.4.6.zip
Tested on: Windows 7 OS, Wordpress 3.9.2 and Chrome Browser.
Description:
I found a serious security vulnerability in the Slideshow Gallery plugin. This bug allows an attacker to upload any php file remotely to the vulnerable website (administrator by default). I have tested and verified that having the current version of the plugin installed in a WordPress i
Metasploit
Wordpress SlideShow Gallery Authenticated File Upload
metasploit
Wordpress SlideShow Gallery Authenticated File Upload
Wordpress SlideShow Gallery Authenticated File Upload
The Wordpress SlideShow Gallery plugin contains an authenticated file upload vulnerability. An attacker can upload arbitrary files to the upload folder. Since the plugin uses its own file upload mechanism instead of the WordPress API, it's possible to upload any file type.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/128069/WordPress-Slideshow-Gallery-1.4.6-Shell-Upload.htmlhttp://secunia.com/advisories/60074http://whitexploit.blogspot.mx/2014/08/wordpress-slideshow-gallery-146-shell.htmlhttp://www.exploit-db.com/exploits/34514http://www.exploit-db.com/exploits/34681http://www.securityfocus.com/archive/1/533281/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/95676https://wordpress.org/plugins/slideshow-gallery/changeloghttp://packetstormsecurity.com/files/128069/WordPress-Slideshow-Gallery-1.4.6-Shell-Upload.htmlhttp://secunia.com/advisories/60074http://whitexploit.blogspot.mx/2014/08/wordpress-slideshow-gallery-146-shell.htmlhttp://www.exploit-db.com/exploits/34514http://www.exploit-db.com/exploits/34681http://www.securityfocus.com/archive/1/533281/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/95676https://wordpress.org/plugins/slideshow-gallery/changelog
2014-09-11
Published