CVE-2018-25335

Vulnerability

WordPress Plugin Peugeot Music version 1.0 contains an arbitrary file upload vulnerability in the upload.php endpoint located at /wp-content/plugins/peugeot-music-plugin/js/plupload/examples/upload.php. The plugin fails to authenticate users or validate file extensions, allowing unauthenticated attackers to upload files with arbitrary extensions by manipulating the name parameter in the POST request [1][2].

Exploitation

An attacker with network access to the target WordPress site can send a crafted POST request to the vulnerable upload.php endpoint. The request includes a file (e.g., a PHP shell) via the file parameter and a desired filename (e.g., shell.php) via the name parameter. No authentication or user interaction is required. The uploaded file is stored in the uploads/ subdirectory of the same plugin folder [1].

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the web server by accessing the uploaded file. This can lead to full compromise of the WordPress site, including data theft, defacement, or further lateral movement within the hosting environment. The CVSS v3 score is 9.8 (Critical) [2].

Mitigation

No official patch or updated version has been released for this plugin as of the available references. The plugin is likely abandoned and should be removed from the WordPress installation. As a workaround, administrators can restrict access to the upload directory or implement a web application firewall rule to block requests to the vulnerable endpoint. The plugin is not listed on the WordPress Plugin Directory, and the vendor homepage is not provided [1][2].