Wordpress security

Arbitrary File Upload Vulnerability In Popular WooCommerce Extension

Updated: December 8, 2020 by Oliver Sild

Earlier this week, an arbitrary file upload vulnerability has been found in popular WordPress plugin WooCommerce Checkout Manager which extends the functionality of well known WooCommerce plugin.

The vulnerability has been publicly disclosed by pluginvulnerabilities.com which continues the protest against WordPress forums moderators:

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior, we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum

At the time of writing this article, the vulnerability in WooCommerce Checkout Manager is not patched and potentially puts more than 60,000 websites at risk.

Is your website protected from plugin vulnerabilities?

Protect your sites now
HTTP Security Headers

The vulnerability affects users that have enabled the “Categorize Uploaded Files” option within plugin settings.

WooCommerce Checkout Manager

Vulnerable functionality is the one that allows users and visitors to upload files in a form on checkout. However, even if you don’t have a file upload field in your site’s form – you are still vulnerable as long as you have the mentioned option enabled.

From the more technical aspect, vulnerability occurs inside the “includes/admin.php” file at line 2084 on which the application is moving given files to a directory using “move_uploaded_file” without prior proper check for allowed files. WooCommerce Checkout Manager

The vulnerable function is accessible to both, registered users and visitors as ajax hooks are registered to non-authenticated users as well.

WooCommerce Checkout Manager

Since there is no privilege or permission check before uploading a file, the exploitation of the vulnerability in WooCommerce Checkout Manager is simple and doesn’t require an attacker to be registered on the site.

If you are using the WooCommerce Checkout Manager plugin, please disable the “Categorize Uploaded Files” option on the plugin settings page or disable the plugin completely until developers release a patched version of the plugin.

WebARX web application firewall (WAF) is already protecting from this attack and WebARX users are safe.

Make sure your site is safe from such vulnerabilities.

Try webarx today
Wordpress security

Secure your websites like an expert - in under 3 minutes.

Try WebARX For Free

Get latest vulnerabilities directly to your inbox

30 000+ developers already benefit from our weekly newsletters.

suggested articles

Wordpress security

The Week of Yuzo and YellowPencil Plugin Vulnerabilities

Security advisory

Agnes
Talalaev

Wordpress security
Wordpress security

Social Warfare XSS and RCE Vulnerabilities and Attack Data

Security advisory

Oliver
Sild

Wordpress security
Wordpress security

WordPress Plugin ‘Simple Social Buttons’ Critical Security Bug

Security advisory

Oliver
Sild

Wordpress security
Wordpress security

Multiple Critical Vulnerabilities in LoginPress WordPress Plugin

Security advisory

Oliver
Sild

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla