PT-2020-17374 · Woocommerce · Woocommerce Ultimate Gift Card

Bc0D3

Published

2020-12-28

Updated

2020-12-30

CVE-2020-35627

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Ultimate WooCommerce Gift Cards version 3.0.2

Description The issue allows for remote execution of arbitrary code due to a file upload vulnerability in the Custom GiftCard Template. This vulnerability is exploited when the Custom Gift Card Template function is used, enabling the upload of a custom image. By changing the image extension to PHP, an attacker can execute PHP code on the server.

Recommendations For Ultimate WooCommerce Gift Cards version 3.0.2, consider disabling the Custom Gift Card Template function to prevent exploitation until a patch is available. Restrict access to the custom image upload feature to minimize the risk of arbitrary code execution.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2020-35627

Affected Products

Woocommerce Ultimate Gift Card

PT-2020-17374 · Woocommerce · Woocommerce Ultimate Gift Card

CVE-2020-35627

Weakness Enumeration

Related Identifiers

Affected Products

References · 5