Vulnerabilities > CVE-2014-9308 - Unspecified vulnerability in Wpeasycart WP Easycart

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

wpeasycart

exploit available

metasploit

NVD

Published: 2015-01-15

Updated: 2024-11-21

Summary

Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/.

Vulnerable Configurations

Part	Description	Count
Application	Wpeasycart Wpeasycart WP Easycart 1.1.30 Wpeasycart WP Easycart 1.1.31 Wpeasycart WP Easycart 1.1.32 Wpeasycart WP Easycart 1.1.33 Wpeasycart WP Easycart 1.1.34 Wpeasycart WP Easycart 1.1.35 Wpeasycart WP Easycart 1.1.36 Wpeasycart WP Easycart 1.2.0 Wpeasycart WP Easycart 1.2.1 Wpeasycart WP Easycart 1.2.2 Wpeasycart WP Easycart 1.2.3 Wpeasycart WP Easycart 1.2.4 Wpeasycart WP Easycart 1.2.5 Wpeasycart WP Easycart 1.2.6 Wpeasycart WP Easycart 1.2.7 Wpeasycart WP Easycart 1.2.8 Wpeasycart WP Easycart 1.2.9 Wpeasycart WP Easycart 1.2.10 Wpeasycart WP Easycart 1.2.11 Wpeasycart WP Easycart 1.2.12 Wpeasycart WP Easycart 1.2.13 Wpeasycart WP Easycart 1.2.14 Wpeasycart WP Easycart 1.2.15 Wpeasycart WP Easycart 1.2.16 Wpeasycart WP Easycart 2.0.1 Wpeasycart WP Easycart 2.0.1\@824267 Wpeasycart WP Easycart 2.0.2 Wpeasycart WP Easycart 2.0.3 Wpeasycart WP Easycart 2.0.4 Wpeasycart WP Easycart 2.0.5 Wpeasycart WP Easycart 2.0.6 Wpeasycart WP Easycart 2.0.7 Wpeasycart WP Easycart 2.0.8 Wpeasycart WP Easycart 2.0.9 Wpeasycart WP Easycart 2.0.10 Wpeasycart WP Easycart 2.0.11 Wpeasycart WP Easycart 2.0.12 Wpeasycart WP Easycart 2.0.13 Wpeasycart WP Easycart 2.0.14 Wpeasycart WP Easycart 2.0.15 Wpeasycart WP Easycart 2.0.16 Wpeasycart WP Easycart 2.0.17 Wpeasycart WP Easycart 2.0.18 Wpeasycart WP Easycart 2.0.19 Wpeasycart WP Easycart 2.0.20 Wpeasycart WP Easycart 2.0.21 Wpeasycart WP Easycart 2.0.22 Wpeasycart WP Easycart 2.1.0 Wpeasycart WP Easycart 2.1.1 Wpeasycart WP Easycart 2.1.2 Wpeasycart WP Easycart 2.1.3 Wpeasycart WP Easycart 2.1.4 Wpeasycart WP Easycart 2.1.5 Wpeasycart WP Easycart 2.1.6 Wpeasycart WP Easycart 2.1.7 Wpeasycart WP Easycart 2.1.8 Wpeasycart WP Easycart 2.1.9 Wpeasycart WP Easycart 2.1.10 Wpeasycart WP Easycart 2.1.11 Wpeasycart WP Easycart 2.1.12 Wpeasycart WP Easycart 2.1.13 Wpeasycart WP Easycart 2.1.14 Wpeasycart WP Easycart 2.1.15 Wpeasycart WP Easycart 2.1.16 Wpeasycart WP Easycart 2.1.17 Wpeasycart WP Easycart 2.1.18 Wpeasycart WP Easycart 2.1.19 Wpeasycart WP Easycart 2.1.20 Wpeasycart WP Easycart 2.1.21 Wpeasycart WP Easycart 2.1.22 Wpeasycart WP Easycart 2.1.23 Wpeasycart WP Easycart 2.1.24 Wpeasycart WP Easycart 2.1.25 Wpeasycart WP Easycart 2.1.26 Wpeasycart WP Easycart 2.1.27 Wpeasycart WP Easycart 2.1.28 Wpeasycart WP Easycart 2.1.29 Wpeasycart WP Easycart 2.1.30 Wpeasycart WP Easycart 2.1.31 Wpeasycart WP Easycart 2.1.32 Wpeasycart WP Easycart 2.1.33 Wpeasycart WP Easycart 2.1.34 Wpeasycart WP Easycart 2.1.35 Wpeasycart WP Easycart 2.1.36 Wpeasycart WP Easycart 3.0.0 Wpeasycart WP Easycart 3.0.1 Wpeasycart WP Easycart 3.0.2 Wpeasycart WP Easycart 3.0.3 Wpeasycart WP Easycart 3.0.4 Wpeasycart WP Easycart 3.0.5 Wpeasycart WP Easycart 3.0.6 Wpeasycart WP Easycart 3.0.7 Wpeasycart WP Easycart 3.0.8	93

Exploit-Db

description	WordPress Shopping Cart 3.0.4 - Unrestricted File Upload. CVE-2014-9308. Webapps exploit for php platform
file	exploits/php/webapps/35730.html
id	EDB-ID:35730
last seen	2016-02-04
modified	2015-01-08
platform	php
port	80
published	2015-01-08
reporter	Kacper Szurek
source	https://www.exploit-db.com/download/35730/
title	WordPress Shopping Cart 3.0.4 - Unrestricted File Upload
type	webapps

description	WordPress WP EasyCart Unrestricted File Upload. CVE-2014-9308. Webapps exploit for php platform
id	EDB-ID:36043
last seen	2016-02-04
modified	2015-02-10
published	2015-02-10
reporter	metasploit
source	https://www.exploit-db.com/download/36043/
title	WordPress WP EasyCart - Unrestricted File Upload

Metasploit

description	WordPress Shopping Cart (WP EasyCart) Plugin for WordPress contains a flaw that allows a remote attacker to execute arbitrary PHP code. This flaw exists because the /inc/amfphp/administration/banneruploaderscript.php script does not properly verify or sanitize user-uploaded files. By uploading a .php file, the remote system will place the file in a user-accessible path. Making a direct request to the uploaded file will allow the attacker to execute the script with the privileges of the web server. In versions <= 3.0.8 authentication can be done by using the WordPress credentials of a user with any role. In later versions, a valid EasyCart admin password will be required that is in use by any admin user. A default installation of EasyCart will setup a user called "demouser" with a preset password of "demouser".
id	MSF:EXPLOIT/UNIX/WEBAPP/WP_EASYCART_UNRESTRICTED_FILE_UPLOAD
last seen	2020-06-05
modified	2018-10-01
published	2015-01-10
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9308
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/wp_easycart_unrestricted_file_upload.rb
title	WordPress WP EasyCart Unrestricted File Upload

Packetstorm

data source	https://packetstormsecurity.com/files/download/129875/wpshoppingcart-shell.txt
id	PACKETSTORM:129875
last seen	2016-12-05
published	2015-01-09
reporter	Kacper Szurek
source	https://packetstormsecurity.com/files/129875/WordPress-Shopping-Cart-3.0.4-Unrestricted-File-Upload.html
title	WordPress Shopping Cart 3.0.4 Unrestricted File Upload

Seebug

bulletinFamily	exploit
description	<p># 受影响版本: WordPress Shopping Cart 3.0.4 </p><p># 日期: 29-10-2014</p><p># 软件链接: <a href="https://wordpress.org/plugins/wp-easycart/" rel="nofollow">https://wordpress.org/plugins/wp-easycart/</a></p><p># CVE: CVE-2014-9308</p><p># 类别: 应用程序</p><p>漏洞详情：</p><p>任何注册用户都可以上传任何文件。<br></p><p>上传点: wp-easycart\inc\amfphp\administration\banneruploaderscript.php<br></p><p>$date = $_POST['datemd5'];</p><p>$usersqlquery = sprintf("SELECT  ec_user.*, ec_role.admin_access FROM  ec_user  LEFT JOIN ec_role ON (ec_user.user_level = ec_role.role_label) WHERE  ec_user.password = '%s' AND  (ec_user.user_level = 'admin' OR ec_role.admin_access = 1)", mysql_real_escape_string($requestID));</p><p>$userresult = mysql_query($usersqlquery);</p><p>$users = mysql_fetch_assoc($userresult);</p><p>if ($users \|\| is_user_logged_in()) {</p><p> $filename = $_FILES['Filedata']['name'];</p><p> $filetmpname = $_FILES['Filedata']['tmp_name'];</p><p> $fileType = $_FILES["Filedata"]["type"];</p><p> $fileSizeMB = ($_FILES["Filedata"]["size"] / 1024 / 1000);</p><p> $explodedfilename = pathinfo($filename);</p><p> $nameoffile = $explodedfilename['filename'];</p><p> $fileextension = $explodedfilename['extension'];</p><p> move_uploaded_file($_FILES['Filedata']['tmp_name'], "../../../products/banners/".$nameoffile."_".$date.".".$fileextension);</p><p>}</p> 验证： Login as regular user (created using wp-login.php?action=register): <form action="http://wordpress-install/wp-content/plugins/wp-easycart/inc/amfphp/administration/banneruploaderscript.php" method="post" enctype="multipart/form-data"> <input type="hidden" name="datemd5" value="1"> <input type="file" name="Filedata"> <input value="Upload!" type="submit"> </form> File will be visible: http://wordpress-install/wp-content/plugins/wp-easycart/products/banners/%filename%_1.%fileextension%
id	SSV:89276
last seen	2017-11-19
modified	2015-08-31
published	2015-08-31
source	https://www.seebug.org/vuldb/ssvid-89276
title	WordPress Shopping Cart 3.0.4 --任意文件上传

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Packetstorm

Seebug

References