Templately WordPress Plugin Arbitrary File Write Vulnerability

A vulnerability allowing arbitrary file write has been identified in the Templately plugin for WordPress, affecting all versions through 3.4.8. The issue arises from insufficient input validation in the 'save_template_to_file()' function. User-controlled parameters such as 'session_id', 'content_id', and 'ai_page_ids' are used to create file paths without proper sanitization. This flaw enables unauthenticated attackers to write arbitrary '.ai.json' files to locations within the uploads directory.

Impact

Exploitation of this vulnerability allows for unauthenticated arbitrary file write within the WordPress uploads directory, which could be leveraged to upload malicious files or overwrite existing ones.

Reproduction

The vulnerability can be reproduced by sending a request to the Templately API endpoints 'ai-update' or 'ai-update-preview' with the 'session_id', 'content_id', and 'ai_page_ids' parameters. These parameters can be manipulated to create a file path that writes a '.ai.json' file to the uploads directory.

Remediation

Users are advised to update the Templately WordPress plugin to version 3.4.9 or later.