WordPress Plugin Vulnerabilities

woocommerce-csvimport 3.3.6 – Authenticated Arbitrary File Deletion

Description

Type user access: any user registered.

$_POST['filename'] is not escaped.
Code
File: wp-content/plugins/woocommerce-csvimport/export/include/classes/woocsvExport.php Line:64
public function delete_export_file() {

if ( isset( $_POST['filename'] ) ) {
@unlink( $_POST['filename'] );
}
wp_die( 0 );
}

Result:

wp-config.php file deleted and restart the all system.

Proof of Concept

Affects Plugins

Plugin icon
woocommerce-csvimport
No known fix

References

URL
https://lenonleite.com.br/publish-exploits/plugin-woocommerce-csv-importer-3-3-6-rce-unlink/

Miscellaneous

Submitter
Lenon Leite
Submitter website
https://lenonleite.com.br/
Submitter twitter
https://twitter.com/lenonleite
Verified
No
WPVDB ID
0bb2b891-07d4-40b3-b393-1b4de0ec116c

Timeline

Publicly Published
2017-12-27 (about 8 years ago)
Added
2018-04-09 (about 8 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2021-11-25
Title
WordPress < 5.8 - Plugin Confusion
Published
2024-10-09
Title
ivalt plugin contains malicious JS <= 1.0.0
Published
2014-08-01
Title
Buddypress <= 1.9.1 - Crafted bp_new_group_id Cookie Arbitrary Group Manipulation
Published
2024-04-11
Title
ProfilePress < 4.15.5 - Contributor+ Stored Cross-Site Scripting
Published
2024-10-14
Title
BuddyPress Better Registration <= 1.6 - Authentication Bypass to Administrator