StoreEngine WordPress Plugin Arbitrary File Upload Vulnerability Allowing Remote Code Execution
Vulnerability
A vulnerability exists in the StoreEngine WordPress eCommerce plugin, specifically in versions through 1.5.0, allowing authenticated users with Subscriber-level access and above to upload arbitrary files. This issue arises from inadequate file type validation in the CSV import function, combined with the exposure of a nonce to all frontend users. Exploitation of this vulnerability could lead to remote code execution on the affected server.
Impact
Successful exploitation allows authenticated users to upload files, including PHP web shells, which can be executed on the server, leading to arbitrary code execution.
Reproduction
To reproduce this vulnerability, log into a WordPress site as an authenticated user with Subscriber-level access or higher. Ensure the StoreEngine plugin is active and navigate to the CSV Import section. Intercept the upload request using a tool like Burp Suite, and modify it to include a PHP file disguised as a CSV. Once uploaded, the file can be accessed through the web server, executing any included PHP code.
Remediation
Users are advised to update the StoreEngine WordPress plugin to version 1.5.1 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.