Kaswara Modern VC Addons (0-day) - Unauthenticated Arbitrary File Upload

Description

The plugin allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP.

The vendor has been unresponsive to both the reporter and Envato, and the issue is being widely exploited.

Indicator of Compromise (IoC):
- /wp-content/uploads/kaswara /fonts_icon/jg4/coder.php
- /wp-content/uploads/kaswara/icons/brt/t.php
- /wp-content/uploads/kaswara/icons/kntl/img.php
- /wp-content/uploads/kaswara/fonts_icon/15/icons.php

Notes (WPScanTeam)
- The issue has been confirmed in version up to 2.3.1 by the reporter
- In v3.x (confirmed in 3.0.1 by us), the uploadFontIcon AJAX action does not exist anymore, but other actions can be used to achieve the same goal.
- The uploaded files are usually located in /wp-content/uploads/kaswara/ (check all folders there), but can be put anywhere via a path traversal vector
- It's unclear whether or not the issue has been patched or if a fix is being worked on due to the unresponsiveness of the vendor