The plugin allows unauthenticated arbitrary file upload via the 'uploadFontIcon' AJAX action. The supplied zipfile being unzipped in the wp-content/uploads/kaswara/fonts_icon directory with no checks for malicious files such as PHP. The vendor has been unresponsive to both the reporter and Envato, and the issue is being widely exploited. Indicator of Compromise (IoC): - /wp-content/uploads/kaswara /fonts_icon/jg4/coder.php - /wp-content/uploads/kaswara/icons/brt/t.php - /wp-content/uploads/kaswara/icons/kntl/img.php - /wp-content/uploads/kaswara/fonts_icon/15/icons.php Notes (WPScanTeam) - The issue has been confirmed in version up to 2.3.1 by the reporter - In v3.x (confirmed in 3.0.1 by us), the uploadFontIcon AJAX action does not exist anymore, but other actions can be used to achieve the same goal. - The uploaded files are usually located in /wp-content/uploads/kaswara/ (check all folders there), but can be put anywhere via a path traversal vector - It's unclear whether or not the issue has been patched or if a fix is being worked on due to the unresponsiveness of the vendor
The PoC will be displayed once the issue has been remediated
UPLOAD
2021-04-20 (about 1 years ago)
2021-04-21 (about 1 years ago)
2021-04-27 (about 1 years ago)