WordPress Plugin Download From Files Arbitrary File Upload Vulnerability

A vulnerability allowing arbitrary file upload has been identified in the WordPress Plugin Download From Files, specifically in versions through 1.48. This vulnerability allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action. Attackers can send POST requests to the admin-ajax.php endpoint with the download_from_files_617_fileupload action, manipulating the allowExt parameter to bypass file type restrictions and upload executable files, such as PHP shells, to the web root.

Impact

Exploitation of this vulnerability allows for arbitrary file upload, which could lead to the execution of uploaded malicious files, such as web shells, on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the WordPress admin-ajax.php endpoint with the action set to download_from_files_617_fileupload. Include a file in the request that has an extension allowed by the manipulated allowExt parameter, such as php4 or phtml. The uploaded file will be placed in the web root, where it can be executed.