WordPress Catalog Importer, Scraper & Crawler Unauthenticated PHP Code Injection Vulnerability

A PHP code injection vulnerability has been identified in the Catalog Importer, Scraper & Crawler plugin for WordPress, affecting all versions through 5.1.4. The vulnerability arises from the plugin's reliance on a guessable numeric token, which lacks proper authentication, and the unsafe use of the eval() function on user-supplied input. This combination allows unauthenticated attackers to execute arbitrary PHP code on the server by sending a forged request with a guessed or brute-forced numeric key.

Impact

Exploitation of this vulnerability allows for arbitrary PHP code execution on the server where the affected WordPress site is hosted.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site with the 'megaimporter_communication' parameter set to '1' and the 'clef' parameter containing a guessed numeric key. The 'codeGroovy', 'codeLiens', and 'codeFinal' parameters can also be included to demonstrate the injection of PHP code, which will be executed on the server.