WordPress Asset-Manager Plugin Unauthenticated File Upload Vulnerability

A vulnerability exists in the WordPress Asset-Manager plugin, specifically in versions through 2.0, allowing for unauthenticated arbitrary file uploads. The issue is located in the upload.php file, which does not properly validate or restrict file types. This flaw enables remote attackers to upload malicious PHP scripts to a predictable temporary directory. Once the files are uploaded, they can be executed via direct HTTP GET requests, leading to remote code execution on the server under the web server's context.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be leveraged to execute malicious PHP scripts on the server, resulting in remote code execution.

Reproduction

To reproduce this vulnerability, upload a PHP file through the upload.php endpoint of the Asset-Manager plugin. This can be done using a tool like cURL or through a Metasploit module designed for this vulnerability. After the file is uploaded, it can be accessed and executed from the temporary directory where it was uploaded.