CVE-2024-13359
📋 TL;DR
The Product Input Fields for WooCommerce WordPress plugin has an arbitrary file upload vulnerability due to insufficient file type validation. Unauthenticated attackers can upload malicious files to the server, potentially leading to remote code execution. This affects all plugin versions up to and including 1.12.0.
💻 Affected Systems
- Product Input Fields for WooCommerce WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise, data theft, and website defacement.
Likely Case
File upload leading to webshell installation and limited server access.
If Mitigated
File upload attempts blocked by proper validation, with no successful exploitation.
🎯 Exploit Status
Requires understanding of double extension bypass techniques; .php uploads simpler if file extension field is blank.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Product Input Fields for WooCommerce'. 4. Click 'Update Now' if available, or manually update to version 1.12.1 or higher.
🔧 Temporary Workarounds
Disable plugin
WordPressTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate product-input-fields-for-woocommerce
Restrict file uploads
WordPressConfigure plugin to only accept specific safe file extensions.
In plugin settings, set 'Accepted file extensions' to non-executable types like .jpg,.png,.pdf
🧯 If You Can't Patch
- Disable the plugin entirely
- Implement web application firewall rules to block file uploads to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins.Check Version:
wp plugin get product-input-fields-for-woocommerce --field=versionVerify Fix Applied:
Confirm plugin version is 1.12.1 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to WooCommerce endpoints
- POST requests to /wp-admin/admin-ajax.php with file upload parameters
- Files with double extensions like .jpg.php being uploaded
Network Indicators:
- HTTP POST requests with file uploads to product input field endpoints
- Unusual outbound connections from server after file uploads
SIEM Query:
source="web_server" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "wc-api") AND http_method="POST" AND (request_body CONTAINS "multipart/form-data" OR request_body CONTAINS "filename=")🔗 References
- https://plugins.trac.wordpress.org/browser/product-input-fields-for-woocommerce/tags/-1.8.2/includes/class-alg-wc-pif-main.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3234567%40product-input-fields-for-woocommerce&new=3234567%40product-input-fields-for-woocommerce&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3250201%40product-input-fields-for-woocommerce&new=3250201%40product-input-fields-for-woocommerce&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a9c08f2e-bffd-40a6-89f3-559cb34f4395?source=cve
