AI Feeds WordPress Plugin Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in the AI Feeds WordPress plugin, affecting versions through 1.0.11. The issue arises from a missing capability check in the 'actualizador_git.php' file, which is accessible without authentication. This flaw enables unauthenticated attackers to download any GitHub repository and overwrite plugin files on the server, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which can be used to execute malicious code on the server, as demonstrated by the provided exploit that uploads a PHP shell.

Reproduction

To reproduce this vulnerability, send a request to 'wp-content/plugins/ai-feeds/actualizador_git.php' without authentication. Include the 'owner', 'repo', 'ref', and 'token' parameters. The 'token' parameter can be set to a GitHub personal access token. The vulnerability can be exploited by uploading a malicious file, such as a PHP shell, which can then be executed via a command parameter.

Remediation

Users are advised to update the AI Feeds WordPress plugin to version 1.0.12 or later.