Share
## https://sploitus.com/exploit?id=956740AF-DAC1-507B-B386-28894297C4B0
# S2B AI Assistant โ€“ ChatBot, ChatGPT, OpenAI, Content & Image Generator put_contents($outfile, $file_content, FS_CHMOD_FILE)` ([line 344](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php#L344))

The vulnerability occurs because:

1. **Route Registration**: The upload endpoint is registered in [`AdminChatBotController.php`](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/controllers/AdminChatBotController.php#L25).
2. **Controller Access**: The `processAssistantUpload()` method handles the upload request ([line 1103](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/controllers/AdminChatBotController.php#L1103)).
3. **Input Processing**: User-controlled file data from `$_FILES['s2baia_chatbot_config_database']` is directly processed without proper validation.
4. **File Handling**: Only a custom extension whitelist check is applied using `checkAllowedFilesearchExtensions()` ([line 320](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php#L320)), which explicitly allows `.php` extension ([line 366](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php#L366)).
5. **File Storage**: Files are saved to `wp-content/uploads/YYYY/MM/`.

### Vulnerable Code Location

**File**: [`lib/helpers/Utils.php`](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php)
**Lines**: [289-348](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php#L289)

```php
public static function storeFile($targetDir) {
    global $wp_filesystem;

    // Initialize WP_Filesystem
    if (!function_exists('request_filesystem_credentials')) {
        require_once ABSPATH . 'wp-admin/includes/file.php';
    }
    if (!WP_Filesystem()) {
        return '';
    }

    if (!isset($_FILES) || !is_array($_FILES) || !isset($_FILES['s2baia_chatbot_config_database'])) {  // SOURCE: User input ([line 300](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php#L300))
        return '';
    }

    if (!isset($_FILES['s2baia_chatbot_config_database']['error']) || !isset($_FILES['s2baia_chatbot_config_database']['name']) || !isset($_FILES['s2baia_chatbot_config_database']['size']) || !isset($_FILES['s2baia_chatbot_config_database']['tmp_name'])) {
        return '';
    }

    $chunk = isset($_REQUEST["chunk"]) ? (int) $_REQUEST["chunk"] : 0;
    $name = sanitize_file_name($_FILES['s2baia_chatbot_config_database']['name']);
    if (strlen($name) == 0) {
        return '';
    }

    $finfo = pathinfo($name);

    if (is_array($finfo)) {
        $fname = sanitize_file_name($finfo['filename']);
        $fext = $finfo['extension'];
        if (!self::checkAllowedFilesearchExtensions($fext)) {  // Only custom whitelist check ([line 320](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php#L320))
            return '';
        }
        if ($wp_filesystem->exists($targetDir . DIRECTORY_SEPARATOR . $name)) {
            $timest = time();
            $name = $fname . '_' . $timest . '_' . random_int(1000, 9999) . '.' . $fext;
        }
    }

    $tmp_name = sanitize_text_field($_FILES['s2baia_chatbot_config_database']['tmp_name']);
    $outfile = $targetDir . DIRECTORY_SEPARATOR . $name;

    // Open the output file and write contents using WP_Filesystem
    if ($chunk === 0) {
        $wp_filesystem->put_contents($outfile, '', FS_CHMOD_FILE);
    }

    // Read the temporary file and append its contents to the output file
    $file_content = $wp_filesystem->get_contents($tmp_name);
    if ($file_content === false) {
        return '';
    }

    // Append content to the file
    if (!$wp_filesystem->put_contents($outfile, $file_content, FS_CHMOD_FILE)) {  // SINK: Direct file write ([line 344](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php#L344))
        return '';
    }

    // Delete the temporary file using WordPress method
    // ... rest of function
}
```

**File**: [`lib/helpers/Utils.php`](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php)
**Lines**: [354-383](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php#L354)

```php
public static function checkAllowedFilesearchExtensions($ext) {
    switch ($ext) {
        case 'c':
        case 'cs':
        case 'cpp':
        case 'doc':
        case 'docx':
        case 'html':
        case 'java':
        case 'json':
        case 'md':
        case 'pdf':
        case 'php':  // Explicitly allows PHP files ([line 366](https://plugins.trac.wordpress.org/browser/s2b-ai-assistant/trunk/lib/helpers/Utils.php#L366))
        case 'pptx':
        case 'py':
        case 'rb':
        case 'tex':
        case 'txt':
        case 'css':
        case 'js':
        case 'sh':
        case 'ts':

            return true;

        default:
            return false;
    }
    return false;
}
```