漏洞描述
Wordpress e-Commerce Plugin 3.4版本及其早期版本的image_processing.php中存在无限制文件上传漏洞。远程攻击者可以借助上传一个具有可执行扩展名的文件并对wp-content/plugins/wp-shopping-cart/中的文件提交一个直接的请求来访问该文件,以执行任意代码。
Instinct WP e-Commerce 'image_processing.php'任意文件上传漏洞
PoC代码
暂无相关漏洞推荐
- WordPress WooCommerce Designer Pro 插件 /wp-admin/admin-ajax.php wcdp_save_canvas_design_ajax 文件上传漏洞(CVE-2025-6440)
- WordPress Google for WooCommerce /wp-content/plugins/google-listings-and-ads/vendor/googleads/google-ads-php/scripts/print_php_information.php 信息泄露漏洞(CVE-2024-10486)
- Adobe Commerce/Magento SessionReaper /customer/address_file/upload 文件上传漏洞(CVE-2025-54236)
- Code-Projects E-Commerce Website SQL注入漏洞
- Wordpress WooCommerce Ultimate Gift Card /wp-admin/admin-ajax.php mwb_wgm_preview_mail 文件上传漏洞(CVE-2024-8425)
- POC CVE-2023-2986: Abandoned Cart Lite for WooCommerce - Authentication Bypass
- POC CVE-2014-4558: WooCommerce Swipe <= 2.7.1 - Cross-Site Scripting
- POC CVE-2018-5316: WordPress SagePay Server Gateway for WooCommerce <1.0.9 - Cross-Site Scripting
- POC CVE-2021-24169: WordPress Advanced Order Export For WooCommerce <3.1.8 - Authenticated Cross-Site Scripting
- POC CVE-2021-24300: WordPress WooCommerce <1.13.22 - Cross-Site Scripting
- POC CVE-2021-24849: WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
- POC CVE-2021-24875: WordPress eCommerce Product Catalog <3.0.39 - Cross-Site Scripting
- POC CVE-2021-24991: WooCommerce PDF Invoices & Packing Slips WordPress Plugin < 2.10.5 - Cross-Site Scripting