slavco
slavco
May 31 · 2 min read
Slash

Having knowledge about underestimated issues about WP means a lot e.g. you are able to optimize the “tool” and to perform security tests while doing functional tests. Let we check how missed wp_slash while meddling with metadata takes its debt into most popular e-commerce solution out there.

Bug

Vulnerable code e.g. we have a direct input towards add_metadata meta_key value (this time direct input is via hop called database storage). If we check the add_metadata code there is obvious that

$meta_key = wp_unslash( $meta_key );

will remove any leading \ and that allows inserting protected meta into postmeta database table — enough for RCE in WooCommerce. See it in action in order to reproduce on your setup.

Fix

Just add extra wp_slash in meta_key input e.g.

return add_metadata( $this->meta_type, $object->get_id(), wp_slash( $meta->key), is_string( $meta->value ) ? wp_slash( $meta->value ) : $meta->value, false );

Why disclosing this way?

Team is not responsive on email and I’m not welcomed on H1 platform.

Attack vector

Vulnerability allows anyone who could manage products (limited accounts in many stores) in form of import (csv one) and duplicate to execute code on the target store. For now complete exploit won’t be published, but could be expected in the next few days.

Happy hacking!

Promo

If you are wp developer or wp host provider or wp security product provider with valuable list of clients, we offer subscription list and we are exceptional (B2B only).

websec

Attack sources + web application security

slavco

Written by

slavco

websec

websec

Attack sources + web application security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade