High severity vulnerability fixed in Product Input Fields for WooCommerce.

The Product Input Fields for WooCommerce plugin for WordPress (5,000+ active installations) fixed a high severity vulnerability affecting version 1.2.6 and below that could allow an unauthenticated user to download any file from the website, including the WordPress configuration file that contains the database credentials.

Unauthenticated Arbitrary File Download

In the “product-input-fields-for-woocommerce/includes/class-alg-wc-pif-core.php” script, the plugin registers the handle_downloads function with the admin_init hook in the __contruct method:

46   add_action( 'admin_init', array( $this, 'handle_downloads' ) );

In the “handle_downloads” function, there’s no capability check or inputs validation:

137   public function handle_downloads() {
138      if ( isset( $_GET['alg_wc_pif_download_file'] ) ) { // phpcs:ignore WordPress.Security.NonceVerification
139         $file_name  = $_GET['alg_wc_pif_download_file']; // phpcs:ignore
140         $upload_dir = alg_get_uploads_dir( 'product_input_fields' );
141         $file_path  = $upload_dir . '/' . $file_name;
142         header( 'Expires: 0' );
143         header( 'Cache-Control: must-revalidate, post-check=0, pre-check=0' );
144         header( 'Cache-Control: private', false );
145         header( 'Content-disposition: attachment; filename=' . $file_name );
146         header( 'Content-Transfer-Encoding: binary' );
147         header( 'Content-Length: ' . filesize( $file_path ) );
148         readfile( $file_path );
149         exit();
150      }
151   }

It takes the filename assigned to $_GET['alg_wc_pif_download_file'], appends it to the plugin’s upload folder name, wp-content/uploads/woocommerce_uploads/alg_uploads/, and serves the corresponding file. Because the admin_init hook can be triggered by anyone, for instance by accessing admin-post.php or admin-ajax.php, unauthenticated users could download any file from the blog including the wp-config.php script, e.g., ../../../../../wp-config.php, that contains the database credentials, which could allow them to connect to the DB and take over the website.

Timeline

The vulnerability was reported to the authors on July 20, 2020 and a new version 1.2.7 was released on July 31st, 2020.

Recommendations

Upgrade immediately if you have version 1.2.6 or below. If you are using our web application firewall for WordPress, NinjaFirewall WP Edition (free) and NinjaFirewall WP+ Edition (premium), you are protected against this vulnerability.

Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet