Num. Verde 800 11 28 25

WordPress Ultimate Product Catalogue Vulnerability

Indice dei contenuti


Seeweb ha scoperto una zero-day all’interno del plugin di WordPress “Ultimate Product Catalogue “. Dopo averne discusso con gli sviluppatori, che hanno fornito una patch, abbiamo rilasciato una full disclosure e deciso di condividere con voi questa notizia.

Product Description:

Ultimate Product Catalog plugin is designed to help WordPress sites administrators display products quickly and easily in an attractive and customizable layout, making your catalogue easy to browse, sort and update with categories, sub-categories, and tags.

Vulnerability Summary:

Severity: Critical
Class: Unauthenticated Arbitrary File Upload
Remote: Yes
Vulnerable: WordPress Ultimate Product Catalogue Plugin 3.1.1 (and previous versions)
Credit: Luca Ercoli

The vulnerability occurs due to the use of user-supplied input without proper validation.
By sending a specially-crafted HTTP POST request, a remote unauthenticated attacker can exploit this issue to upload arbitrary file and execute it in the context of the webserver process.

Vulnerability Description:

Vulnerability exist in the Add_Products_From_Spreadsheet() function, where “move_uploaded_file” (PHP Filesystem Function) can be called by unauthenticated users.
In order to exploit this flaw, we can use the WordPress AJAX API, hence the hook to function “Update_UPCP_Content” that exist in the file UPCP_Main.php: [sociallocker id=”7320″]

add_action(‘widgets_init’, ‘Update_UPCP_Content’);

By sending a specially-crafted request to Update_UPCP_Content(), we can execute Add_Products_From_Spreadsheet() and upload an arbitraty file into “wp-content/plugins/ultimate-product-catalogue/product-sheets” folder.

Proof of Concept:

curl -v -k -X POST -F “Products_Spreadsheet=@./backdoor.php” “” [/sociallocker]

Vendor Response:

According to the vendor, a software version that fixes the vulnerability found has been released and is available for download.

Disclosure Timeline:

* Apr 21, 2015, 19:44 CEST: Vendor is notified of the vulnerability
* Apr 21, 2015, 22:40 CEST: Vendor confirms report and indicates that the flaw has been patched
* Apr 22, 2015: Public disclosure


Condividi su linkedin
Condividi su twitter
Condividi su facebook
Condividi su whatsapp
Condividi su email

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

89 − 87 =