WavePlayer WordPress Plugin Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability in the WavePlayer WordPress plugin, affecting versions prior to 3.8.0, allows unauthenticated users to upload arbitrary files to the server. This issue arises because an AJAX action lacks proper authorization and does not validate the files being copied locally. Exploitation of this vulnerability can lead to remote code execution.

Impact

Successful exploitation allows for arbitrary file uploads, which can be used to execute malicious code on the server.

Reproduction

To reproduce this vulnerability, first fetch a nonce from any public page on the WordPress site. Then, send a POST request to the site with the 'wvpl-ajax' parameter set to 'create_local_copy', including the nonce and a URL pointing to a remote PHP payload. The response will confirm the upload and provide a link to the uploaded file, which will be accessible via the web.

Remediation

Users are advised to update the WavePlayer WordPress plugin to version 3.8.0 or later.