WordPress midi-Synth Plugin Unauthenticated Arbitrary File Upload Vulnerability

A vulnerability exists in the midi-Synth plugin for WordPress, allowing for unauthenticated arbitrary file uploads. This issue arises from inadequate validation of file types and extensions in the 'export' AJAX action, affecting all versions up to and including 1.1.0. The flaw enables attackers to upload arbitrary files to the server hosting the affected site. If an uploaded file can be executed as code, this could lead to remote code execution, especially since the plugin's nonce, required for the upload process, is exposed in frontend JavaScript and easily accessible to attackers.

Impact

Exploitation of this vulnerability could result in unauthorized file uploads, potentially leading to remote code execution if the uploaded files are executed on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the 'export' AJAX action without proper file type validation. Include the exposed nonce in the request to bypass the security check. This can be done using a tool like cURL or through a custom script that interacts with the WordPress AJAX API.

Remediation

No known patch is available for this vulnerability. It is recommended to uninstall the affected plugin and consider a replacement.