CVE-2021-3120
📋 TL;DR
This vulnerability allows remote attackers to upload arbitrary PHP files to WordPress servers running the vulnerable YITH WooCommerce Gift Cards Premium plugin. Attackers can achieve remote code execution on the web server by exploiting a file upload validation bypass. Any WordPress site using the affected plugin version is vulnerable.
💻 Affected Systems
- YITH WooCommerce Gift Cards Premium plugin for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the web server, allowing attackers to execute arbitrary commands, steal data, install backdoors, and pivot to other systems.
Likely Case
Webshell installation leading to data theft, defacement, or use as part of a botnet.
If Mitigated
Limited impact if file uploads are restricted at web server level or WAF blocks malicious uploads.
🎯 Exploit Status
Exploitation requires adding a gift card product to cart first. Multiple public PoCs exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.1 and later
Vendor Advisory: https://yithemes.com/themes/plugins/yith-woocommerce-gift-cards/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find YITH WooCommerce Gift Cards Premium. 4. Click 'Update Now' if available. 5. If not, download version 3.3.1+ from vendor site and upload manually.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate yith-woocommerce-gift-cards-premium
Restrict PHP file uploads
linuxConfigure web server to block .php file uploads to upload directories
# Apache: <Location /wp-content/uploads/>\n<Files *.php>\nDeny from all\n</Files>\n</Location>
# Nginx: location ~* /wp-content/uploads/.*\.php$ { deny all; }
🧯 If You Can't Patch
- Disable the YITH WooCommerce Gift Cards Premium plugin immediately
- Implement web application firewall rules to block requests containing 'ywgc-upload-picture' parameter with .php extensions
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > YITH WooCommerce Gift Cards Premium. If version is below 3.3.1, you are vulnerable.Check Version:
wp plugin get yith-woocommerce-gift-cards-premium --field=versionVerify Fix Applied:
Verify plugin version is 3.3.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with ywgc-upload-picture parameter
- File uploads with .php extension to upload directories
- Unusual .php files in wp-content/uploads/ directories
Network Indicators:
- HTTP POST requests containing 'ywgc-upload-picture' parameter with file upload data
- Subsequent requests to newly uploaded .php files
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND post_params CONTAINS "ywgc-upload-picture")