Someone reported to us that our Plugin Vulnerabilities Firewall had blocked an attempt to exploit what turned out to be an arbitrary file upload vulnerability in the plugin WP E-commerce CSV Importer. The blocked request was sent to the plugin’s file /upload/upload-file.php. The relevant code that allows arbitrary file uploads in the file is this:

2
3
4
5
6
7
8
9
10
11
12
13
14
15

$uploaddir = "../../../uploads/wpsc/product_images/";
$file = $uploaddir . basename($_FILES['uploadfile']['name']); 
$type = $_FILES["uploadfile"]["type"];
$size=$_FILES['uploadfile']['size'];
 
if($size>1048576)
{
	echo "error file size > 1 MB";
	unlink($_FILES['uploadfile']['tmp_name']);
	exit;
}
$newfile = "../../../uploads/wpsc/product_images/thumbnails/" . basename($_FILES['uploadfile']['name']); 
 
if (move_uploaded_file($_FILES['uploadfile']['tmp_name'], $file)) {

That takes a file sent with a request with the FILE name set to “uploadfile” and uploads it to a directory on the website. For the file to be uploaded, the directory, /wp-content/uploads/wpsc/product_images/, would need to already exist.