CVE-2016-10958

Vulnerability

The Estatik Real Estate plugin for WordPress, versions prior to 2.3.0, contains an unauthenticated arbitrary file upload vulnerability. The flaw resides in the es_media_images[] parameter passed to wp-admin/admin-ajax.php. An attacker can upload malicious files (e.g., PHP shells) without any authentication. The vulnerable code path is reachable without any special configuration or user interaction [1][2].

Exploitation

An attacker needs no authentication, no prior privileges, and no user interaction. The attack is performed by sending a crafted POST request to wp-admin/admin-ajax.php with the action parameter set to a value that triggers file upload handling and the es_media_images[] parameter containing a malicious file. The exact steps are: 1) Identify a target site running Estatik < 2.3.0. 2) Send a POST request to wp-admin/admin-ajax.php with the es_media_images[] parameter containing a PHP webshell or other executable file. 3) The file is saved to the server, allowing remote code execution [2].

Impact

Successful exploitation allows an unauthenticated attacker to upload arbitrary files to the WordPress server. This can lead to complete site compromise, including remote code execution, data theft, defacement, or using the compromised site for further attacks. The attacker gains the same privileges as the web server user [2].

Mitigation

The vulnerability is fixed in Estatik version 2.3.0 and later. The official security update was released and described in the vendor advisory [2]. Users must update the plugin to at least version 2.3.0. No workarounds are mentioned; updating is the only mitigation. The current version (4.3.1) is not affected [1][2].