Having knowledge about underestimated issues about WP means a lot e.g. you are able to optimize the “tool” and to perform security tests while doing functional tests. Let we check how missed
wp_slash while meddling with metadata takes its debt into most popular e-commerce solution out there.
Vulnerable code e.g. we have a direct input towards
add_metadata meta_key value (this time direct input is via hop called database storage). If we check the
add_metadata code there is obvious that
$meta_key = wp_unslash( $meta_key );
will remove any leading
\ and that allows inserting protected meta into postmeta database table — enough for RCE in WooCommerce. See it in action in order to reproduce on your setup.
Just add extra wp_slash in meta_key input e.g.
return add_metadata( $this->meta_type, $object->get_id(), wp_slash( $meta->key), is_string( $meta->value ) ? wp_slash( $meta->value ) : $meta->value, false );
Why disclosing this way?
Team is not responsive on email and I’m not welcomed on H1 platform.
Vulnerability allows anyone who could manage products (limited accounts in many stores) in form of import (csv one) and duplicate to execute code on the target store. For now complete exploit won’t be published, but could be expected in the next few days.
If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).