W-P Admin
Posts : 80 Join date : 2013-11-12 Age : 38 Location : Cyber World
| Subject: WordPress OptimizePress hack (file upload vulnerability) Thu Apr 24, 2014 10:40 am | |
| Dork : inurl:/wp-content/themes/OptimizePress/lib/admin/media-upload.phpExploit : localhost/path/wp-content/themes/OptimizePress/lib/admin/media-upload.php/Thousands of WordPress sites are at risk of being hacked using a newly-discovered vulnerability in the popular OptimizePress theme. We tried to find an official announcement of this vulnerability, but the search only turned up a PasteBin post from Nov. 23 that has since been removed. However, the Google cache is still there as of now (included at the end of this post). It shows the details of the vulnerability, which is very simple – you can exploit it with a browser. The problem is in this file: wp-content/themes/OptimizePress/lib/admin/media-upload.php . You can simply browse directly to that file, yielding a page like this: [You must be registered and logged in to see this image.]The hacker simply has to choose a PHP file using the “Upload New Image” section and upload it. The page then lists it, like this: [You must be registered and logged in to see this image.]Your files located here : Site.com/wp-content/uploads/optpress/images_comingsoon/fileshere.php | |
|