WP Cost Estimation Plugin Arbitrary File Upload and Deletion Vulnerability

A vulnerability in the WP Cost Estimation plugin for WordPress, in versions through 9.642, allows for arbitrary file uploads and deletions. This issue arises from inadequate file type validation in the lfb_upload_form and lfb_removeFile AJAX actions. Unauthenticated attackers can exploit this vulnerability to upload arbitrary files to the server, potentially leading to remote code execution. Additionally, attackers can delete files from the server, including database configuration files, and replace them with their own.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads and deletions. Uploaded files could be executed as PHP scripts, facilitating remote code execution. Deleting wp-config.php would disrupt the site's database connection, allowing an attacker to establish a new connection to a remote database and gain administrative access.

Reproduction

The vulnerability can be reproduced by sending a POST request to wp-admin/admin-ajax.php with the action 'lfb_upload_form'. The request must include a file that bypasses the plugin's basic filename checks to exploit the upload vulnerability. After successfully uploading a file, the same process can be repeated with the 'lfb_removeFile' action to delete arbitrary files from the server.

Remediation

Users are advised to update the WP Cost Estimation plugin to version 9.644 or later.