Executive Summary

CVE-2016-20075 is an arbitrary file upload vulnerability in the WordPress Ultimate Product Catalog plugin version 3.8.6 and earlier.

Authenticated users with roles such as contributor, editor, author, or administrator can exploit the plugin's custom fields feature to upload malicious files, specifically PHP shells.

These malicious files are uploaded through the Products tab custom file field and stored in the "upcp-product-file-uploads" directory, allowing attackers to access and execute arbitrary code on the server.

The vulnerability arises because the plugin's code fails to properly validate file extensions, enabling attackers to bypass security controls.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers with certain authenticated roles to upload malicious PHP files that can be executed on the server.

Successful exploitation can lead to remote code execution (RCE), which means attackers can run arbitrary commands or code on the affected server.

This can result in full compromise of the server, including data theft, data manipulation, service disruption, or using the server as a foothold for further attacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence of uploaded PHP files in the 'upcp-product-file-uploads' directory of the WordPress Ultimate Product Catalog plugin. Since the exploit involves uploading malicious PHP shells via the custom file fields, scanning this directory for unexpected or suspicious PHP files is a key detection method.

Additionally, monitoring authenticated user activities with contributor, editor, author, or administrator roles for unusual file uploads through the Products tab custom fields can help identify exploitation attempts.

Suggested commands to detect potential exploitation include:

• Using find command on the server to locate PHP files in the upload directory: find /path/to/wordpress/wp-content/uploads/upcp-product-file-uploads -name "*.php"
• Checking web server access logs for requests to files in the 'upcp-product-file-uploads' directory that may indicate access to uploaded shells: grep "upcp-product-file-uploads" /var/log/apache2/access.log
• Reviewing WordPress user activity logs (if available) for file upload actions by users with contributor, editor, author, or administrator roles.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability for users with contributor, editor, author, or administrator roles to upload files via the custom fields functionality in the WordPress Ultimate Product Catalog plugin.

Removing or restricting access to the 'upcp-product-file-uploads' directory to prevent execution of uploaded PHP files can reduce the risk of remote code execution.

Applying any available patches or updates from the plugin vendor that address this vulnerability is recommended once they become available.

As a temporary measure, consider implementing web server rules (e.g., .htaccess) to block execution of PHP files in the upload directory.

Review and audit user roles and permissions to ensure that only trusted users have the ability to upload files.

Useful 0 Not Useful 0