WordPress Ultimate Product Catalog Plugin 3.8.6 - Arbitrary File Upload

ID EDB-ID:40012
Type exploitdb
Reporter i0akiN SEC-LABORATORY
Modified 2016-06-27T00:00:00


WordPress Ultimate Product Catalog Plugin 3.8.6 - Arbitrary File Upload. Webapps exploit for php platform

                                            # Exploit Title: Wordpress Ultimate-Product-Catalog v3.8.6 Arbitrary file (RCE)
# Date: 2016-06-23
# Google Dork: Index of /wp-content/plugins/ultimate-product-catalogue/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://www.EtoileWebDesign.com/
# plugin uri: http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/
# Version: 3.8.6
# Tested on: windows 7 + Mozilla firefox. 
# Demo: https://youtu.be/FSRZlD3SVQc


An arbitrary file upload web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin v3.8.6 and below.
The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory if the plugin is premium version and the remote 
attacker have an especific account (contributor|editor|author|administrator) who can manage this plugin.


1.- Go to "Custom fields" tab and add a new custom field with "type" file.
2.- Go to "Products" tab, Now you can see a new field with that you added previously.
3.- Select your php shell and save the product.
4.- Go to uri "http(s)://<wp-host>/<wp-path>/wp-content/uploads/upcp-product-file-uploads/<your-shell-name>" and enjoy.

 Vulnerable code
located in <upc-plugin-path>/Functions/Update_Admin-Databases.php` file, the function `UPCP_Handle_File_Upload` does not check for file extensions.

function UPCP_Handle_File_Upload($Field_Name) {
	if (!is_user_logged_in()) {exit();}
		/* Make sure that the file exists */ 	 	
		elseif (empty($_FILES[$Field_Name]['tmp_name']) || $_FILES[$Field_Name]['tmp_name'] == 'none') {
			$error = __('No file was uploaded here..', 'UPCP');
		/* Move the file and store the URL to pass it onwards*/ 	 	
		else {				 
		 	  $msg .= $_FILES[$Field_Name]['name'];
			//for security reason, we force to remove all uploaded file
			$target_path = ABSPATH . 'wp-content/uploads/upcp-product-file-uploads/';
			//create the uploads directory if it doesn't exist
			if (!file_exists($target_path)) {
				  mkdir($target_path, 0777, true);
			$target_path = $target_path . basename( $_FILES[$Field_Name]['name']); 
			if (!move_uploaded_file($_FILES[$Field_Name]['tmp_name'], $target_path)) {
				//if (!$upload = wp_upload_bits($_FILES["Item_Image"]["name"], null, file_get_contents($_FILES["Item_Image"]["tmp_name"]))) {
	 			  $error .= "There was an error uploading the file, please try again!";



Vulnerability discovered by:
	Joaquin Ramirez Martinez [i0akiN SEC-LABORATORY]


2015-08-08: vulnerability found
2016-06-21: Reported to vendor (No response)
2016-06-24: Public disclousure