WP Duplicate WordPress Plugin Missing Authorization Vulnerability Allowing Arbitrary File Upload

A vulnerability exists in the WP Duplicate plugin for WordPress, specifically in versions up to and including 1.1.8. The issue stems from a missing authorization check in the 'process_add_site()' AJAX action, coupled with path traversal vulnerabilities in the file upload feature. This flaw enables authenticated attackers at the subscriber level to manipulate the 'prod_key_random_id' option. Once this option is set, an unauthenticated attacker can exploit it to bypass authentication checks and upload arbitrary files to the server using the 'handle_upload_single_big_file()' function. This sequence of actions could ultimately result in remote code execution.

Impact

Exploitation of this vulnerability could lead to unauthorized file uploads, which may be used to execute malicious code on the server, depending on the nature of the uploaded file.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level privileges can send a request to the 'process_add_site()' AJAX action without the necessary authorization checks. This can be done by manipulating the 'prod_key' data to include a crafted value that exploits the path traversal vulnerability in the file upload functionality. Once the 'prod_key_random_id' option is set, an unauthenticated user can upload files using the 'handle_upload_single_big_file()' function, effectively executing the uploaded code remotely.

Remediation

Users are advised to update the WP Duplicate plugin to version 1.1.9 or later, where this vulnerability has been addressed.