Exploitation Level: Easy / Remote
DREAD Score: 6
Vulnerability: Arbitrary File Upload
Patched Version: 4.3
Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version 4.3 immediately.
As we’ve seen some exploit attempts occurring in the wild, we feel it is a good time to describe what the issue is.
Current State of the Vulnerability
This arbitrary file upload vulnerability was made public a few weeks ago and has recently been patched. It can be exploited by unauthenticated remote attackers if users have the Categorize Uploaded Files option enabled in the plugin settings.
What Is It All About?
A WordPress plugin enables API routes by registering actions with either wp_ajax_ for authenticated or wp_ajax_nopriv_ for unauthenticated calls. Plugins using wp_ajax_nopriv_ actions should be fine as long as they are not giving access to methods with critical functionalities.
Unfortunately, vulnerable versions of the WooCommerce Checkout Manager are giving access to an upload functionality without using the proper restrictions. Under certain circumstances, this can allow a bad actor to upload malicious files to the affected site, modify data, or gain administrative access.
Indicators of Compromise
You can look for requests pointing to the PHP file /wp-admin/admin-ajax.php with the following parameter in your access logs:
- wccs_upload_file_func
- order_id
- Name
Protect Yourself
Users with vulnerable versions of this plugin should update to version 4.3 as soon as possible, however, it’s worth noting that this vulnerability was left unpatched for weeks. Due to the unresponsive nature of the development team, we’d encourage you to pursue other plugin options that have more active development teams and demonstrate a concern for security.
If you’re seeing symptoms of a hack and need a hand cleaning it up, contact us—we’d be happy to help clean up your site.
Note: Users of our Web Application Firewall (WAF) product are already protected against this threat via our virtual patching feature.