Detections
Analytics
Sniplets Plugin for WordPress execute.php 'text' Parameter Arbitrary Command Execution
high Nessus Plugin ID 31167
Language:
Synopsis
The remote web server contains a PHP script that allows arbitrary command execution.Description
The remote host is running Sniplets, a third-party text insertion plugin for WordPress.The version of Sniplets installed on the remote host passes user input to the 'text' parameter of the 'modules/execute.php' script before passing it to an 'eval()' statement. Provided that PHP's 'register_globals' setting is enabled, an unauthenticated remote attacker can leverage this issue to execute arbitrary code on the remote host subject to the privileges of the web server user id.
Note that the Sniplets plugin is also reportedly affected by cross-site scripting and remote file inclusion vulnerabilities;
however, Nessus has not tested for these.
Solution
Upgrade to version 1.2.3 or later.See Also
Plugin Details
Severity: High
ID: 31167
File Name: sniplets_text_cmd_exec.nasl
Version: 1.24
Type: remote
Family: CGI abuses
Published: 2/26/2008
Updated: 6/5/2024
Supported Sensors: Nessus
Enable CGI Scanning: true
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5.6
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS v3
Risk Factor: High
Base Score: 8.8
Temporal Score: 8.2
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:wordpress:wordpress, cpe:/a:wordpress:sniplets_plugin
Required KB Items: installed_sw/WordPress, www/PHP
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Ease: No exploit is required
Exploited by Nessus: true
Patch Publication Date: 2/29/2008
Vulnerability Publication Date: 2/25/2008
Exploitable With
CANVAS (CANVAS)
Reference Information
CVE: CVE-2008-1060
BID: 27985