CVE-2014-9308
published 2015-01-15CVE-2014-9308: Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before…
PriorityP262medium6.5CVSS 2.0
AVNACLAuSCPIPAP
EXPLOIT
EPSS
51.62%
98.8th percentile
Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpeasycart | wp_easycart | <= 3.0.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for multipart/form-data POST requests to /inc/amfphp/administration/banneruploaderscript.php containing files with executable extensions (e.g., .php). ↗
- →Alert on GET requests to files under products/banners/ with executable extensions (e.g., .php), which indicates payload execution after upload. ↗
- →Flag authentication attempts using the default credential pair 'demouser'/'demouser' against WP EasyCart installations, as this is the default admin account used by attackers. ↗
- →In versions <= 3.0.8, any authenticated WordPress user (any role) can exploit this vulnerability; restrict monitoring to all authenticated POST requests to the uploader endpoint, not just admin accounts. ↗
- ·Exploitation requires authentication. In versions <= 3.0.8, any WordPress role suffices; in later versions (up to < 3.0.9), a valid EasyCart admin password is required. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin WP EasyCart - Unrestricted Arbitrary File Upload (Metasploit)
exploitdb·2015-02-10
CVE-2014-9308 WordPress Plugin WP EasyCart - Unrestricted Arbitrary File Upload (Metasploit)
WordPress Plugin WP EasyCart - Unrestricted Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://www.metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'WordPress WP EasyCart Unrestricted File Upload',
'Description' => %q{WordPress Shopping Cart (WP EasyCart) Plugin for
WordPress contains a flaw that allows a remote
attacker to execute arbitrary PHP code. This
flaw exists because the
/inc/amfphp/administration/banneruploaderscript.php
script does not properly verify or sanitize
user-uploaded files. By uploading a .php file,
the remote system will place the file in a
user-accessible path. Making a direct request to
the uploaded file will allow the attacker to
execute the script w
Exploit-DB
WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload
exploitdb·2015-01-08·CVSS 6.5
CVE-2014-9308 [MEDIUM] WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload
WordPress Plugin Shopping Cart 3.0.4 - Unrestricted Arbitrary File Upload
---
Metasploit
WordPress WP EasyCart Unrestricted File Upload
metasploit
WordPress WP EasyCart Unrestricted File Upload
WordPress WP EasyCart Unrestricted File Upload
WordPress Shopping Cart (WP EasyCart) Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the /inc/amfphp/administration/banneruploaderscript.php script does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the attacker to execute the script with the privileges of the web server. In versions <= 3.0.8 authentication can be done by using the WordPress credentials of a user with any role. In later versions, a valid EasyCart admin password will be required that is in use by any admin user. A default installation of EasyCart will
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/116806http://packetstormsecurity.com/files/129875/WordPress-Shopping-Cart-3.0.4-Unrestricted-File-Upload.htmlhttp://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.htmlhttp://www.exploit-db.com/exploits/35730http://www.securityfocus.com/bid/71983https://wordpress.org/plugins/wp-easycart/changelog/http://osvdb.org/show/osvdb/116806http://packetstormsecurity.com/files/129875/WordPress-Shopping-Cart-3.0.4-Unrestricted-File-Upload.htmlhttp://security.szurek.pl/wordpress-shopping-cart-304-unrestricted-file-upload.htmlhttp://www.exploit-db.com/exploits/35730http://www.securityfocus.com/bid/71983https://wordpress.org/plugins/wp-easycart/changelog/
2015-01-15
Published