Follow

10/23/17: WordPress WP EasyCart Unrestricted File Upload | Security Bulletin

Threat Summary

Overview

The Shopping Cart (WP EasyCart) Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the plugin does not properly verify or sanitize user-uploaded files. 

Exploitation

Stages

  1. The attacker sends a specially crafted request to ‘wp-easycart/inc/amfphp/administration/banneruploaderscript.php’ containing a PHP file upload attempt.
  2. php does not perform verification or sanitization of the file; it stores it in a user-accessible location resulting in RCE capabilities.

Prerequisites

You will need WordPress plugin WP EasyCart 3.0.8.

Vulnerability Description

A remote file upload vulnerability exists in the WordPress plugin WP EasyCart. The vulnerability lies in script ‘inc/amfphp/administration/banneruploaderscript.php’. This script does not contain verification or sanitization of uploaded files, allowing an attacker the ability to upload arbitrary PHP files. This can result in remote code execution as the uploaded PHP files are stored in a user-accessible path. No authentication is required for successful execution of this attack.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Recommendations for Mitigation

Update the plugin to a non-vulnerable version.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.