Yandex Market WordPress Plugin Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the YML for Yandex Market WordPress plugin, affecting versions prior to 5.0.26. The issue arises during the feed generation process, where improper handling of user input allows for the execution of arbitrary code.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where the affected WordPress site is hosted.

Reproduction

To reproduce this vulnerability, install and activate the WooCommerce plugin, followed by the YML for Yandex Market plugin. Log into the WordPress dashboard as a Superadmin and create a new user with the Shop Manager role. Then, log in as the Shop Manager and navigate to the Y4YM tab. Create a new feed, inserting a payload into the 'Change domain to' field that includes a PHP command injection. After saving the feed, intercept the request and modify the file extension to 'php' before forwarding it. Once the feed link is generated, access it with a parameter containing the injected command, which will be executed on the server.

Remediation

Users are advised to update the YML for Yandex Market WordPress plugin to version 5.0.26 or later.