Executive Summary

The Pix for WooCommerce plugin for WordPress has a vulnerability that allows unauthenticated attackers to upload arbitrary files to the affected site's server. This happens because the plugin's function 'lkn_pix_for_woocommerce_c6_save_settings' lacks proper capability checks and file type validation in all versions up to and including 1.5.0.

This arbitrary file upload vulnerability can potentially enable remote code execution, meaning attackers could run malicious code on the server hosting the website.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized file uploads by attackers without authentication, which may lead to remote code execution on your server.

Such an exploit could allow attackers to take control of your website, manipulate or steal data, disrupt services, or use your server for malicious activities.

The CVSS v3.1 base score of 9.8 indicates a critical severity with high impact on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking for the presence of the Pix for WooCommerce plugin version 1.5.0 or earlier on your WordPress site, as these versions lack proper capability checks and file type validation allowing arbitrary file uploads.'}, {'type': 'paragraph', 'content': "Since the vulnerability allows unauthenticated arbitrary file uploads via the 'lkn_pix_for_woocommerce_c6_save_settings' function, monitoring for unexpected POST requests to this AJAX endpoint or unusual file uploads on the server could indicate exploitation attempts."}, {'type': 'paragraph', 'content': 'Specific commands to detect this might include:'}, {'type': 'list_item', 'content': "Using web server logs to search for POST requests to admin-ajax.php with the action parameter set to 'lkn_pix_for_woocommerce_c6_save_settings'. For example, on a Linux server: `grep 'action=lkn_pix_for_woocommerce_c6_save_settings' /var/log/apache2/access.log`"}, {'type': 'list_item', 'content': 'Checking for recently uploaded files in the WordPress uploads directory or other writable directories that could be suspicious: `find /path/to/wordpress/wp-content/uploads -type f -mtime -7` to find files modified in the last 7 days.'}, {'type': 'list_item', 'content': 'Using WordPress CLI to check the installed plugin version: `wp plugin get pix-for-woocommerce --field=version`'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Pix for WooCommerce plugin to version 1.6.0 or later, where the vulnerability is addressed by enforcing authenticated AJAX requests and secure nonce generation.

This update removes unauthenticated AJAX access to critical endpoints and adds nonce-based authentication to prevent arbitrary file uploads and potential remote code execution.

If updating immediately is not possible, restrict access to the WordPress admin AJAX endpoint (admin-ajax.php) from unauthenticated users via web server or firewall rules as a temporary measure.

Additionally, monitor your site for suspicious activity and consider scanning for any uploaded malicious files.

Useful 0 Not Useful 0