Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

[email protected]

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
CVE

CVE-2022-4606 – FlatPress

RCE – Remote Code Execution

flatpress has a feature to upload file “uploader” and display from “media manager”. By uploading a malicious PHP files, the users can perform Php Remote file Inclusion attack and gain RCE.

POC – Proof of concept

PAYLOAD: test<?php phpinfo(); ?>

Impact

Successful exploitation of PHP file inclusion may result in information disclosure or compromise of the vulnerable system. A remote attacker can read and write files or execute arbitrary code on the target system with privileges of the web server. In this case we can do all of this things.

Severity

https://cvss.js.org/#CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:L

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-4606

https://huntr.dev/bounties/3dab0466-c35d-4163-b3c7-a8666e2f7d95/

https://github.com/flatpressblog/flatpress