WooCommerce Catalog Enquiry – Arbitrary File Upload | CVE 2017-18592 | Plugin Vulnerabilities

Description

Email from user:

"A 'fix' for the file upload vulnerability seems to have been introduced in version 3.0.2 with the cryptic description "Fixed some data issues."

However I hope you're aware that the vulnerability still exists and can be exploited by simply changing Content-Type in the HTTP request. You're trusting the client to be honest about Content-Type when you check "type" from $_FILES. The very first comment at http://php.net/manual/en/reserved.variables.files.php warns about this."

Additional notes:

File is uploaded to the '/wp-content/uploads/catalog_enquiry/' directory. Content type of "image/png" works.

Affects Plugins

woocommerce-catalog-enquiry

Fixed in 3.1.0

References

CVE

URL

https://www.pluginvulnerabilities.com/2017/04/20/arbitrary-file-upload-vulnerability-in-woocommerce-catalog-enquiry/

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

Verified

Yes

WPVDB ID

e8c87c22-4feb-4a16-845a-43806453e869

Timeline

Publicly Published

2017-04-20 (about 9 years ago)

Added

2017-07-19 (about 8 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2024-11-13

Title

CDI < 5.5.6 - Authenticated (Shop Manager+) Arbitrary File Upload

Published

2024-01-09

Title

AI Engine: ChatGPT Chatbot < 1.9.99 - Unauthenticated Arbitrary File Upload

Published

2024-12-17

Title

WPLMS < 1.9.9.5.2 - Authenticated (Contributor+) Arbitrary File Upload

Published

2014-08-01

Title

Image News Slider - Arbitrary File Upload

Published

2021-04-20

Title

Kaswara Modern VC Addons (0-day) - Unauthenticated Arbitrary File Upload