On February 15, 2024, a major security flaw, CVE-2024-10820, was uncovered in the popular WooCommerce Upload Files WordPress plugin. All versions up to and including 84.3 are affected. This vulnerability lets anyone — even people not logged in — upload any kind of file to your website's server. Worse, this could let a bad actor upload and run malicious code, giving them full control of your site.
This article gives you an exclusive, plain-English overview of how the bug works, includes code snipplets, and offers links to more technical references and guidance for securing your site.
What Is WooCommerce Upload Files?
The WooCommerce Upload Files plugin lets customers upload files when placing orders on WooCommerce-powered stores. It's used for things like uploading images for personalized products. Unfortunately, it didn't properly check what kinds of files were being uploaded.
The Vulnerability: Missing File Type Validation
At the heart of this problem is the plugin's upload_files() function. It should check to make sure people are only uploading safe files (like .jpg or .pdf). It doesn’t. That opens the door for attackers to upload dangerous files: PHP scripts, shells, or whatever they want.
Below is a simplified version of the core issue found in upload_files()
function upload_files() {
// ... Other code handling the file upload
if (isset($_FILES['file'])) {
$uploaded_file = $_FILES['file'];
$upload_dir = wp_upload_dir();
$target = $upload_dir['path'] . '/' . basename($uploaded_file['name']);
// No check for file type or file extension!
if (move_uploaded_file($uploaded_file['tmp_name'], $target)) {
echo "File uploaded: " . $target;
} else {
echo "Upload failed.";
}
}
}
There is no code validating file types, MIME-types, or extensions before saving the uploaded file.
How Attackers Exploit CVE-2024-10820
Because there's no validation, an unauthenticated attacker can POST a request to the upload handler with a PHP file or web shell. Once uploaded, they visit the file's URL in the browser, and—if the server executes PHP—they gain control.
`bash
curl -F "file=@malicious.php" https://vulnerablesite.com/wp-admin/admin-ajax.php?action=upload_files
`
https://vulnerablesite.com/wp-content/uploads/2024/02/malicious.php?cmd=whoami
`
If the server is configured to execute PHP in uploads (common), an attacker now has remote code execution.
Full WordPress site compromise
- Attacker can upload defacement pages, steal data, or use the site in larger attacks (like sending spam)
Patch and Fix
1. Update plugin immediately
The plugin developers have patched this issue in later versions (beyond 84.3).
2. Restrict file types
If you must use file uploads, check/validate both MIME-type and extension! For example
$allowed = array('jpg', 'jpeg', 'png', 'pdf');
$ext = strtolower(pathinfo($uploaded_file['name'], PATHINFO_EXTENSION));
if (in_array($ext, $allowed)) {
// safe to upload
} else {
// block it
}
3. Restrict upload folder execution
Prevent PHP from running in upload directories by using an .htaccess
# .htaccess in /wp-content/uploads
<Files *.php>
deny from all
</Files>
Official References
- Patchstack CVE-2024-10820 Advisory
- NVD CVE-2024-10820 Details
- WooCommerce Upload Files plugin
Conclusion
CVE-2024-10820 is a critical flaw that exposes WordPress sites running WooCommerce Upload Files to severe risk. If your site is affected, update the plugin right away, and consider applying web server hardening. Always validate file types, and restrict upload directory permissions.
Does your site use this plugin? Don’t wait for a hack to happen — fix it now!
*Share this to keep the WordPress community safe!*
Timeline
Published on: 11/13/2024 04:15:04 UTC
Last modified on: 11/19/2024 17:38:16 UTC