Arbitrary Shortcode Execution & Local File Inclusion in WOOF (PluginUs.Net)

Project Description

Multiple vulnerabilies have been identified in WooCommerce Products Filter version 1.1.9. An unauthenticated user can perform a local file inclusion and execute arbitrary wordpress shortcode.


Vendor description

“PluginUs.Net is a little team of talented professionals from Ukraine. Unlike most of the big companies on the net, we believe in individual approach to every our customer. Web development is our passion and we always try to go an extra mile over our clients’ expectations.

Our team specializes in development of WordPress plugins. It’s always exciting to try new technologies and approaches to get the project done and impress clients by realization of their ideas!”

Source: https://pluginus.net/about-us/

Business recommendation

SEC Consult recommends to ugprade to the latest version available as soon as possible. Further detailed security tests should be performed in order to identify potential other security issues.

Vulnerability overview/description

1. Arbitrary Shortcode Execution

The plugin implemented a page redraw AJAX function accessible to anyone without any authentication.

WordPress shortcode markup in the “shortcode” parameters would be evaluated. Normally unauthenticated users can’t evaluate shortcodes as they are often sensitive.

Additionally, it is noted that there are other implemented shortcodes that are being used in this plugin which can be abused through the same attack. Worst, some of them could lead to remote code execution.

2. Local File Inclusion

The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable which then could lead to local file inclusion attack.

Proof of concept

1. Arbitrary Shortcode Execution

The parameter “shortcode” within the “admin-ajax.php” script is affected by the code execution vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
[...]
action=woof_redraw_woof&shortcode=<<shortcode without []>>

2. Local File Inclusion

The parameter “shortcode” within the “admin-ajax.php” script is affected by the local file inclusion vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
[...]
action=woof_redraw_woof&shortcode=woof_search_options pagepath=/etc/passwd

Vulnerable / tested versions

PluginUs.Net WooCommerce Products Filter version 1.1.9 has been tested and found to be vulnerable.

Vendor contact timeline

2018-02-20: Contacting vendor through realmag777@gmail.com
2018-02-20: Vendor agreed to proceed without encrypted channel
2018-02-21: Sent security advisory to vendor
2018-02-26: Vendor sent patch containing the fixes
2018-02-26: Informed vendor the patch doesn’t fully mitigate the vulnerability
2018-03-12: Request update from vendor
2018-03-12: Vendor said they already published the patch
2018-03-14: Public release of security advisory

Solution

The vendor provides an updated version and users are urged to upgrade to version 2.2.0
immediately:

https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/

Workaround

None

Advisory URL

https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

 

EOF Ahmad Ramadhan / @2018

Project Details

  • TitleArbitrary Shortcode Execution & Local File Inclusion
  • ProductWOOF - WooCommerce Products Filter (PluginUs.Net)
  • Vulnerable version1.1.9
  • Fixed version2.2.0
  • CVE number-
  • ImpactCritical
  • Homepagehttps://pluginus.net/
  • Found2018-02-20
  • ByAhmad Ramadhan Amizudin (Office Kuala Lumpur) | SEC Consult Vulnerability Lab

Cookie Preference

Please select an option. You can find more information about the consequences of your choice at Help.

Select an option to continue

Your selection was saved!

Help

Help

To continue, you must make a cookie selection. Below is an explanation of the different options and their meaning.

  • Accept all cookies:
    All cookies such as tracking and analytics cookies.
  • Accept first-party cookies only:
    Only cookies from this website.
  • Reject all tracking cookies:
    No cookies except for those necessary for technical reasons are set.

You can change your cookie setting here anytime: Privacy Statement. Legal Notice

Back