April 25, 2019 by Luka Šikić
Earlier this week, an arbitrary file upload vulnerability has been found in popular WordPress plugin WooCommerce Checkout Manager which extends the functionality of well known WooCommerce plugin.
The vulnerability has been publicly disclosed by pluginvulnerabilities.com which continues the protest against WordPress forums moderators:
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum
At the time of writing this article, the vulnerability in WooCommerce Checkout Manager is not patched and potentially puts more than 60,000 websites at risk.
The vulnerability affects users that have enabled “Categorize Uploaded Files” option within plugin settings.
Vulnerable functionality is the one that allows users and visitors to upload files in a form on checkout. However, even if you don’t have a file upload field in your site’s form – you are still vulnerable as long as you have mentioned option enabled.
From the more technical aspect, vulnerability occurs inside “includes/admin.php” file at line 2084 on which application is moving given files to a directory using “move_uploaded_file” without prior proper check for allowed files.
The vulnerable function is accessible to both, registered users and visitors as ajax hooks are registered to non-authenticated users as well.
Since there is no privilege or permission check before uploading a file, the exploitation of the vulnerability in WooCommerce Checkout Manager is simple and doesn’t require an attacker to be registered on the site.
If you are using WooCommerce Checkout Manager plugin, please disable “Categorize Uploaded Files” option on the plugin settings page or disable plugin completely until developers release a patched version of the plugin.
WebARX web application firewall (WAF) is already protecting from this attack and WebARX users are safe.