CVE-2024-2381
📋 TL;DR
The AliExpress Dropshipping with AliNext Lite WordPress plugin allows authenticated attackers with subscriber-level access or higher to upload arbitrary files due to missing file type validation. This vulnerability can lead to remote code execution on affected WordPress sites. All versions up to and including 3.3.5 are vulnerable.
💻 Affected Systems
- AliExpress Dropshipping with AliNext Lite WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise through remote code execution, allowing attackers to install malware, steal data, deface websites, or pivot to other systems.
Likely Case
Website defacement, backdoor installation, data theft, or cryptocurrency mining malware deployment.
If Mitigated
Limited impact with proper file upload restrictions, web application firewalls, and least privilege access controls in place.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. Subscriber accounts are sufficient.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'AliExpress Dropshipping with AliNext Lite'. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 3.3.6+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate ali2woo-lite
Restrict file uploads via .htaccess
linuxBlock execution of uploaded files in upload directories
Add to .htaccess in wp-content/uploads: <FilesMatch "\.(php|php5|phtml|pl|py|jsp|asp|sh|cgi)">\nOrder Allow,Deny\nDeny from all\n</FilesMatch>
🧯 If You Can't Patch
- Disable user registration or restrict to trusted users only
- Implement web application firewall rules to block suspicious file uploads
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 3.3.5 or lower, you are vulnerable.Check Version:
wp plugin get ali2woo-lite --field=versionVerify Fix Applied:
Verify plugin version is 3.3.6 or higher. Test file upload functionality with non-image files to confirm validation is working.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to wp-content/uploads/ directory
- POST requests to /wp-admin/admin-ajax.php with action=save_image
- Files with double extensions like .jpg.php
Network Indicators:
- HTTP POST requests with file uploads to WordPress admin endpoints from unexpected sources
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data CONTAINS "save_image") AND file_extension IN ("php", "php5", "phtml", "pl", "py", "jsp", "asp", "sh", "cgi")🔗 References
- https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk//includes/classes/controller/WooCommerceProductEditController.php#L108
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c3248327-6e10-420e-83cf-a23296eb2e6f?source=cve
- https://plugins.trac.wordpress.org/browser/ali2woo-lite/trunk//includes/classes/controller/WooCommerceProductEditController.php#L108
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c3248327-6e10-420e-83cf-a23296eb2e6f?source=cve
