The Shopping Cart (WP EasyCart) Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the plugin does not properly verify or sanitize user-uploaded files.
Exploitation
Stages
- The attacker sends a specially crafted request to ‘wp-easycart/inc/amfphp/administration/banneruploaderscript.php’ containing a PHP file upload attempt.
- php does not perform verification or sanitization of the file; it stores it in a user-accessible location resulting in RCE capabilities.
Prerequisites
You will need WordPress plugin WP EasyCart 3.0.8.
Vulnerability Description
A remote file upload vulnerability exists in the WordPress plugin WP EasyCart. The vulnerability lies in script ‘inc/amfphp/administration/banneruploaderscript.php’. This script does not contain verification or sanitization of uploaded files, allowing an attacker the ability to upload arbitrary PHP files. This can result in remote code execution as the uploaded PHP files are stored in a user-accessible path. No authentication is required for successful execution of this attack.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Recommendations for Mitigation
Update the plugin to a non-vulnerable version.
Comments
0 comments
Please sign in to leave a comment.