WooCommerce fixes critical Upload Files vulnerability

Developers have fixed a critical vulnerability in the WooCommerce Upload Files plugin.

WooCommerce is an open-source e-commerce platform used by WordPress websites around the world.

Tracked as CVE-2021-24171, this serious arbitrary file upload vulnerability can be exploited by attackers for remote code execution and to take over the website.

Although separate from the WooCommerce WordPress plugin, the Upload Files plugin is an add-on with over 5,000 active installations.

Researchers discover vulnerability in December 2020

Back in December 2020, researchers at Wordfence had discovered the arbitrary file upload bug in the WooCommerce Upload Files add-on, but worked with the vendor to ensure a proper coordinated disclosure could take place.

“After confirming the vulnerability, we contacted the plugin’s developer, Domenico Lagudi, who responded quickly and released a patch the same day, on December 29, 2020,” state the researchers in a posting.

Wordfence in-built firewall rules did provide some protection against this vulnerability, a bypass was still possible.

On realizing this, the researchers released a firewall rule to combat this issue.

“We quickly released a firewall rule to our premium customers on December 29, 2020. Sites still running the free version of Wordfence received the firewall rule 30 days later, on January 28, 2021,” the researchers continued.

Improper input sanitization led to double extension and path traversal attacks

The Upload Files constructed filenames of the uploaded files using information from the wcuf_current_upload_session_id and wcuf_file_name parameters.

While there were checks in place to ensure these parameters did not contain any forbidden file extensions, these checks fell short.

“For instance, uploading a file with a wcuf_current_upload_session_id parameter set to session1 and the wcuf_file_name parameter set to shell.php would result in the actual file uploaded being named session1_shell as the .php extension would be removed,” explains Wordfence.

The researchers further demonstrate different exploit techniques that can be used to exploit the vulnerability, including path traversal payload, and using double-extensions.

“Unfortunately, the wcuf_current_upload_session_id parameter was also not sufficiently sanitized and was vulnerable to directory traversal. For instance, if a request was sent with the wcuf_current_upload_session_id parameter set to ../../../../file and the wcuf_file_name set to info.p.phphp, the resulting file would be named file_info.php and would end up in the webroot.”

“This also meant that a double extension attack was possible. For instance, setting the wcuf_file_name parameter to test and the wcuf_current_upload_session_id parameter to info.php. would result in a filename of info.php._test which would be executable in Apache environments that use an AddHandler directive for PHP files,” state the researchers.

No matter what method is used, attackers can exploit this vulnerability to upload executable code or PHP files and effectively take control of the website or any other website installations present on the shared hosting account.

Thankfully, following the researchers’ report, the bug has been squashed in version 59.4 of the Upload Files plugin.

Users of WooCommerce Upload Files add-on are advised to upgrade to fixed version 59.4 or above.