CVE-2024-10820
📋 TL;DR
The WooCommerce Upload Files plugin for WordPress has a critical vulnerability that allows unauthenticated attackers to upload arbitrary files to the server due to missing file type validation. This can lead to remote code execution, potentially giving attackers full control over affected websites. All WordPress sites using this plugin up to version 84.3 are affected.
💻 Affected Systems
- WooCommerce Upload Files WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise leading to data theft, ransomware deployment, website defacement, and use as a pivot point for attacking other systems.
Likely Case
Attackers upload web shells to gain persistent access, install malware, steal sensitive data, or use the server for malicious activities like cryptocurrency mining.
If Mitigated
File uploads are blocked or properly validated, preventing malicious file execution while maintaining legitimate upload functionality.
🎯 Exploit Status
Simple HTTP POST requests with malicious files can exploit this vulnerability. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 84.4 or later
Vendor Advisory: https://codecanyon.net/item/woocommerce-upload-files/11442983
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Go to Plugins → Installed Plugins
3. Find 'WooCommerce Upload Files'
4. Click 'Update Now' if update available
5. If no update available, deactivate and remove plugin immediately
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate woocommerce-upload-files
Web Server File Upload Restriction
linuxConfigure web server to block uploads to plugin directory
# For Apache: Add to .htaccess in plugin directory
<FilesMatch "\.(php|phtml|php3|php4|php5|php7|phps|php-s|pht|phar)">
Order Allow,Deny
Deny from all
</FilesMatch>
# For Nginx: Add to server block
location ~* /wp-content/plugins/woocommerce-upload-files/.*\.(php|phtml|php3|php4|php5|php7|phps|php-s|pht|phar)$ {
deny all;
}
🧯 If You Can't Patch
- Immediately deactivate and remove the plugin from all WordPress installations
- Implement web application firewall (WAF) rules to block file uploads to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'WooCommerce Upload Files' version 84.3 or earlierCheck Version:
wp plugin get woocommerce-upload-files --field=versionVerify Fix Applied:
Verify plugin version is 84.4 or later, or confirm plugin is not installed/active📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-content/plugins/woocommerce-upload-files/upload.php
- Multiple file upload attempts with PHP/executable extensions
- Files with suspicious names (shell.php, cmd.php, etc.) appearing in upload directories
Network Indicators:
- HTTP POST requests to upload endpoints from unexpected IPs
- Traffic patterns showing file uploads followed by execution attempts
SIEM Query:
source="web_server" AND (uri_path="/wp-content/plugins/woocommerce-upload-files/upload.php" OR uri_path LIKE "%/woocommerce-upload-files/%") AND http_method="POST"