WordPress AIT CSV Import/Export Plugin Unauthenticated Remote Code Execution Vulnerability

A remote code execution vulnerability has been identified in the WordPress AIT CSV Import/Export plugin, affecting versions through 3.0.3. The vulnerability arises from an unrestricted file upload feature, where the upload-handler.php file allows arbitrary file uploads via multipart/form-data POST requests. This endpoint lacks authentication and proper content-type validation, enabling attackers to upload malicious PHP files directly to the server. Although the upload may trigger a CSV parsing error, the malicious file is saved in the wp-content/uploads/ directory and remains executable. Notably, the plugin does not need to be active for the exploitation to succeed.

Impact

Exploitation of this vulnerability allows for unauthenticated remote code execution on the server, with the uploaded malicious file executed in the context of the web server.

Reproduction

To reproduce this vulnerability, send a POST request to the upload-handler.php file located in the AIT CSV Import/Export plugin directory. The request must include a file payload containing malicious PHP code, using the multipart/form-data content type. After the file is uploaded, it can be accessed from the wp-content/uploads/ directory, where it will execute on the server.

Remediation

Users are advised to update the AIT CSV Import/Export WordPress plugin to version 3.0.4 or later.