CVE-2019-11185

The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending "magic bytes" to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin's MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://wordpress.org/plugins/wp-live-chat-support/#developers	Third Party Advisory
https://wp-livechat.com/	Vendor Advisory
https://wpvulndb.com/vulnerabilities/9320	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:3cx:live_chat:*:*:*:*:*:wordpress:*:*

History

26 May 2023, 18:55

Type	Values Removed	Values Added
CPE	cpe:2.3:a:wp-livechat:wp_live_chat_support_pro::::::wordpress::*	cpe:2.3:a:3cx:live_chat::::::wordpress::*

Information

Published : 2019-06-03 21:29

Updated : 2024-02-04 20:20

NVD link : CVE-2019-11185

Mitre link : CVE-2019-11185

CVE.ORG link : CVE-2019-11185

JSON object : View

Products Affected

3cx

live_chat

CWE

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2019-11185", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-06-03T21:29:00.490", "references": [{"url": "https://wordpress.org/plugins/wp-live-chat-support/#developers", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://wp-livechat.com/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://wpvulndb.com/vulnerabilities/9320", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending \"magic bytes\" to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin's MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension."}, {"lang": "es", "value": "El plugin WP Live Chat Support Pro a trav\u00e9s de 8.0.26 para WordPress contiene una vulnerabilidad de carga de archivos arbitraria. Esto resulta de un ajuste incompleto para CVE-2018-12426. La carga arbitraria de archivos se logra utilizando una extensi\u00f3n de archivo ejecutable no incluida en la lista negra junto con una extensi\u00f3n de archivo en la lista blanca, y a\u00f1adiendo \"bytes m\u00e1gicos\" a la carga \u00fatil para pasar las comprobaciones MIME. Espec\u00edficamente, un usuario remoto no identificado env\u00eda una solicitud POST de carga de archivos dise\u00f1ada al punto final REST api remote_upload. El archivo contiene datos que enga\u00f1ar\u00e1n al cheque MIME del plugin al clasificarlo como una imagen (que es una extensi\u00f3n de archivo en la lista blanca) y, finalmente, una extensi\u00f3n de archivo .phtml final."}], "lastModified": "2023-05-26T18:55:47.037", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:3cx:live_chat:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "67BCD490-D917-4DCD-9A08-73158864786C", "versionEndExcluding": "8.0.26"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}