Loco Translate < 2.5.4 – Authenticated PHP Code Injection | CVE 2021-24721

Description

The plugin mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations.

Proof of Concept

1. Using a User with the translator role, navigate to Loco Translate Menu > Plugins (or Themes)
2. Choose a Plugin or Theme which does not have a translation template already.
3. In the Advanced Tab, modify the Project Name by adding PHP Code like <? phpinfo(); ?> in the name field.
4. Save and Go back to Overview Tab, Click "+ Create Template", Then click the Create Template Button 
5. Intercept or replay the request made when clicking the Create Template Button, change the name of the file being saved and be sure it ends with .php
6. The plugin will save the template file now ending in .php (step 5) with the name value (from step 3) saved within it, in a web accessible location. Access this file to have the web server run the PHP code.

https://www.youtube.com/watch?v=OgcdDU9z7ls