Everest Backup < 2.2.5 – Admin+ Arbitrary File Upload | CVE 2023-7201

Description

The plugin does not properly validate backup files to be uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

Proof of Concept

1. Go to the plugin setting and in the "Restore" section upload the backup file by the "Select File" button(.ebwp format). Select an a file on your computer with the `.ebwp` extension. It must have some contents to pass the plugins validation check. As a PoC, add `<?php echo system($_GET['cmd']); ?>`
2. Capture the HTTP request and in "Content-Disposition:" change the file extension `.php`.
3. Check the response of the HTTP request and if the upload was successful the status code will be "200" and in the body, you can see the path of your file.
4. Open the file and run the code, i.e `cmd.php?cmd=ls` open the file and run your code. In this example, you will get a directory listing.