Wordpress security

Arbitrary File Upload Vulnerability in popular WooCommerce extension

April 25, 2019 by Luka Šikić

Earlier this week, an arbitrary file upload vulnerability has been found in popular WordPress plugin WooCommerce Checkout Manager which extends the functionality of well known WooCommerce plugin.

The vulnerability has been publicly disclosed by pluginvulnerabilities.com which continues the protest against WordPress forums moderators:

Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, so we are releasing this post and then leaving a message about that for the developer through the WordPress Support Forum

At the time of writing this article, the vulnerability in WooCommerce Checkout Manager is not patched and potentially puts more than 60,000 websites at risk.

Is your website protected from plugin vulnerabilities?

Protect your sites now
HTTP Security Headers

The vulnerability affects users that have enabled “Categorize Uploaded Files” option within plugin settings.

WooCommerce Checkout Manager

Vulnerable functionality is the one that allows users and visitors to upload files in a form on checkout. However, even if you don’t have a file upload field in your site’s form – you are still vulnerable as long as you have mentioned option enabled.

From the more technical aspect, vulnerability occurs inside “includes/admin.php” file at line 2084 on which application is moving given files to a directory using “move_uploaded_file” without prior proper check for allowed files. WooCommerce Checkout Manager

The vulnerable function is accessible to both, registered users and visitors as ajax hooks are registered to non-authenticated users as well.

WooCommerce Checkout Manager

Since there is no privilege or permission check before uploading a file, the exploitation of the vulnerability in WooCommerce Checkout Manager is simple and doesn’t require an attacker to be registered on the site.

If you are using WooCommerce Checkout Manager plugin, please disable “Categorize Uploaded Files” option on the plugin settings page or disable plugin completely until developers release a patched version of the plugin.

WebARX web application firewall (WAF) is already protecting from this attack and WebARX users are safe.

Make sure your site is safe from such vulnerabilities.

Try webarx today
Wordpress security

Start your free 14-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla