News

WooCommerce fixes critical Upload Files vulnerability

Developers have fixed a critical vulnerability in the WooCommerce Upload Files plugin.

WooCommerce is an open-source e-commerce platform used by WordPress websites around the world.

Tracked as CVE-2021-24171, this serious arbitrary file upload vulnerability can be exploited by attackers for remote code execution and to take over the website.

Although separate from the WooCommerce WordPress plugin, the Upload Files plugin is an add-on with over 5,000 active installations.

Researchers discover vulnerability in December 2020

Back in December 2020, researchers at Wordfence had discovered the arbitrary file upload bug in the WooCommerce Upload Files add-on, but worked with the vendor to ensure a proper coordinated disclosure could take place.

“After confirming the vulnerability, we contacted the plugin’s developer, Domenico Lagudi, who responded quickly and released a patch the same day, on December 29, 2020,” state the researchers in a posting.

Wordfence in-built firewall rules did provide some protection against this vulnerability, a bypass was still possible.

On realizing this, the researchers released a firewall rule to combat this issue.

“We quickly released a firewall rule to our premium customers on December 29, 2020. Sites still running the free version of Wordfence received the firewall rule 30 days later, on January 28, 2021,” the researchers continued.

Improper input sanitization led to double extension and path traversal attacks

The Upload Files constructed filenames of the uploaded files using information from the wcuf_current_upload_session_id and wcuf_file_name parameters.

While there were checks in place to ensure these parameters did not contain any forbidden file extensions, these checks fell short.

“For instance, uploading a file with a wcuf_current_upload_session_id parameter set to session1 and the wcuf_file_name parameter set to shell.php would result in the actual file uploaded being named session1_shell as the .php extension would be removed,” explains Wordfence.

The researchers further demonstrate different exploit techniques that can be used to exploit the vulnerability, including path traversal payload, and using double-extensions.

“Unfortunately, the wcuf_current_upload_session_id parameter was also not sufficiently sanitized and was vulnerable to directory traversal. For instance, if a request was sent with the wcuf_current_upload_session_id parameter set to ../../../../file and the wcuf_file_name set to info.p.phphp, the resulting file would be named file_info.php and would end up in the webroot.”

“This also meant that a double extension attack was possible. For instance, setting the wcuf_file_name parameter to test and the wcuf_current_upload_session_id parameter to info.php. would result in a filename of info.php._test which would be executable in Apache environments that use an AddHandler directive for PHP files,” state the researchers.

No matter what method is used, attackers can exploit this vulnerability to upload executable code or PHP files and effectively take control of the website or any other website installations present on the shared hosting account.

Thankfully, following the researchers’ report, the bug has been squashed in version 59.4 of the Upload Files plugin.

Users of WooCommerce Upload Files add-on are advised to upgrade to fixed version 59.4 or above.

Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

11 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

11 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

11 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

11 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.