eMagicOne Store Manager for WooCommerce Arbitrary File Upload Vulnerability

A vulnerability allowing arbitrary file uploads has been identified in the eMagicOne Store Manager for WooCommerce plugin for WordPress, affecting all versions through 1.2.5. The issue arises from inadequate file type validation in the set_file() function, which enables unauthenticated attackers to upload arbitrary files to the server. This vulnerability could potentially lead to remote code execution, particularly in default configurations where the default password is unchanged or where the attacker obtains the credentials.

Impact

Exploitation of this vulnerability allows for arbitrary file uploads, which could be used to upload malicious files such as PHP shells, leading to remote code execution.

Reproduction

To reproduce this vulnerability, first authenticate using the default credentials (login: 1, password: 1) to obtain a session key. Then, send a POST request to the bridge endpoint with the session key, the task set_file, and the file to be uploaded. The uploaded file will be placed in the WordPress root directory or any other writable directory specified.

Remediation

Users are advised to update to version 1.3.0 or later, where this vulnerability has been patched.