0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WOOF WooCommerce Products Filter 1.1.9 LFI / Code Execution Exploit
======================================================================= title: Arbitrary Shortcode Execution & Local File Inclusion product: WOOF - WooCommerce Products Filter (PluginUs.Net) vulnerable version: 1.1.9 fixed version: 2.2.0 CVE number: (requested but not yet received) impact: Critical homepage: https://pluginus.net/ ======================================================================= Vendor description: ------------------- "PluginUs.Net is a little team of talented professionals from Ukraine. Unlike most of the big companies on the net, we believe in individual approach to every our customer. Web development is our passion and we always try to go an extra mile over our clients' expectations. Our team specializes in development of WordPress plugins. It's always exciting to try new technologies and approaches to get the project done and impress clients by realization of their ideas!" Source: https://pluginus.net/about-us/ Business recommendation: ------------------------ SEC Consult recommends to ugprade to the latest version available as soon as possible. Further detailed security tests should be performed in order to identify potential other security issues. Vulnerability overview/description: ----------------------------------- 1. Arbitrary Shortcode Execution The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the "shortcode" parameters would be evaluated. Normally unauthenticated users can't evaluate shortcodes as they are often sensitive. Additionally, it is noted that there are other implemented shortcodes that are being used in this plugin which can be abused through the same attack. Worst, some of them could lead to remote code execution. 2. Local File Inclusion The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable which then could lead to local file inclusion attack. Proof of concept: ----------------- 1. Arbitrary Shortcode Execution The parameter "shortcode" within the "admin-ajax.php" script is affected by the code execution vulnerability: POST /wp-admin/admin-ajax.php HTTP/1.1 [...] action=woof_redraw_woof&shortcode=<<shortcode without []>> 2. Local File Inclusion The parameter "shortcode" within the "admin-ajax.php" script is affected by the local file inclusion vulnerability: POST /wp-admin/admin-ajax.php HTTP/1.1 [...] action=woof_redraw_woof&shortcode=woof_search_options pagepath=/etc/passwd Vulnerable / tested versions: ----------------------------- PluginUs.Net WooCommerce Products Filter version 1.1.9 has been tested and found to be vulnerable. Vendor contact timeline: ------------------------ 2018-02-20: Contacting vendor through realmag777@gmail.com 2018-02-20: Vendor agreed to proceed without encrypted channel 2018-02-21: Sent security advisory to vendor 2018-02-26: Vendor sent patch containing the fixes 2018-02-26: Informed vendor the patch doesn't fully mitigate the vulnerability 2018-03-12: Request update from vendor 2018-03-12: Vendor said they already published the patch 2018-03-14: Public release of security advisory Solution: --------- The vendor provides an updated version and users are urged to upgrade to version 2.2.0 immediately: https://www.woocommerce-filter.com/update-woocommerce-products-filter-v-2-2-0/ # 0day.today [2024-09-28] #