Advisory:

Advanced Access Manager allows admin users to write arbitrary files and execute arbitrary php

Vulnerability

Last revised:

Advanced Access Manager allows writing arbitrary content to arbitrary files. Depending on the server configuration this could allow arbitrary code execution, overwriting core WordPress files and e.g. blanking wp-config.php. In other configurations this could lead to overwriting files in the uploads directory.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 6.5 Medium
Vector Network
Complexity Low
Authentication Single
Confidentiality Partial
Integrity Partial
Availability Partial
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

  • Visit http://localhost/wp-admin/admin.php?page=aam-configpress
  • Press “Save” (this creates the “aam_configpress” option)
  • Visit http://localhost/wp-admin/options.php
  • Set “aam_configpress” to “test.php”
  • Press “Save Changes”
  • Visit http://localhost/wp-admin/admin.php?page=aam-configpress again
  • Enter “<?php phpinfo();” into the textarea (without the quotes)
  • Press “Save”
  • Visit http://localhost/wp-content/aam/test.php

Note that there is no restriction on using “../” in the “aam_configpress” option so depending on server configuration you could create files anywhere on the filesystem.

This attack could be scripted to allow upload of binary files, including executable files.

Advisory timeline

  • 2014-08-20: Discovered
  • 2014-09-01: Reported to author via email
  • 2014-09-01: Requested CVE
  • 2014-09-01: Developer responded
  • 2014-09-02: Developer reported the issue fixed
  • 2014-09-03: Advisory published

Mitigation/further actions

Upgrade to version 2.8.3 or later