In our effort to continue to look for new ways to help better protect our customers from vulnerabilities in WordPress plugins we recently went looking to see if there was any value to looking at failed requests for files in the /wp-content/uploads/ directories in our websites to gather data on vulnerabilities we are not already aware of. After going through hundreds of requests from the past few months what we had found was nothing we didn’t already know, while there were lots of requests for files that would have been added through arbitrary file upload vulnerabilities in plugins, these were all vulnerabilities we already knew about, many of them which we had been the ones that discovered they were being exploited through other means in the past (hackers fairly continually try to exploit a few vulnerabilities).
Shortly after that though we had a different type of request show up. The request was for a file that would be at /wp-content/uploads/woocommerce-order-export.csv.txt. From the name that would seem to be a file that would contain order data from WooCommerce. When we went to look for what the source of that might be we found what might explain the request, a module for a claimed security scanner named “SVScanner – Scanner Vulnerability And MaSsive Exploit.” That doesn’t give any indication of a source of the file or if the people behind it are even aware of the source.
We looked at the plugins we could find that provide order export functionality for WooCommerce and none of them seem to generate that file that is saved to the uploads directory like that.
In doing some searching we found that there are websites out there with this file that are showing up in Google’s search results, which isn’t good. In some cases the file is located in an upload directory for a month, like /wp-content/uploads/2018/07/woocommerce-order-export.csv.txt. We contacted a number of those a week ago to let them know about that and ask them if they were aware of what software generated that. So far we haven’t heard back from them and the files still exist on those websites.
If you know what generates that file please leave a comment or contact us so that we can see about making sure that the software isn’t saving files insecurely as it appears it might be.