Description The plugin does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE

PoC

Prerequisite: This vulnerability requires the “Upload Profile Picture” option to be enabled, which isn’t the default. You can activate that feature on the following page: /wp-admin/edit.php?post_type=kamy_acc&page;=customize-my-account-page-layout&tab;=profile_img_settings. It also needs to have the “Endpoints as:” setting value be “theme”, which can be verified at /wp-admin/edit.php?post_type=kamy_acc&page;=customize-my-account-page-layout&tab;=endpoints_settings. You may need to press “Save Settings” once, even if it’s the default as it does not seem like this option is always populated in the database. # Proof of concept: Note: We are assuming WooCommerce’s default user account page (/my-account/) hasn’t changed. 1) Have a malicious PHP file handy. It can be as simple as containing