My Account Page Editor < 1.3.2 – Subscriber+ Arbitrary File Upload | CVE 2023-4536

Description

The plugin does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE

Proof of Concept

# Prerequisite:

This vulnerability requires the "Upload Profile Picture" option to be enabled, which isn't the default. You can activate that feature on the following page: /wp-admin/edit.php?post_type=kamy_acc&page=customize-my-account-page-layout&tab=profile_img_settings. 

It also needs to have the "Endpoints as:" setting value be "theme", which can be verified at /wp-admin/edit.php?post_type=kamy_acc&page=customize-my-account-page-layout&tab=endpoints_settings. You may need to press "Save Settings" once, even if it's the default as it does not seem like this option is always populated in the database.

# Proof of concept:

Note: We are assuming WooCommerce's default user account page (/my-account/) hasn't changed.

1) Have a malicious PHP file handy. It can be as simple as containing <?php phpinfo();
1) While logged-in as a Subscriber, or WooCommerce customer, visit /my-account/
2) Click on your user's avatar to change it, and upload your PHP file instead. (Since v1.3.0, the request made needs to be intercepted and the Content-Type of the file changed to image)
3) Search for your uploaded PHP file somewhere in /wp-content/uploads.