Headline
CVE-2023-4141: Changeset 2944635 for wp-ultimate-csv-importer/trunk/wp-ultimate-csv-importer.php – WordPress Plugin Repository
The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2’ parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means php file creation is still allowed for site administrators, use the plugin with caution.
wp-ultimate-csv-importer/trunk/wp-ultimate-csv-importer.php
r2943068
r2944635
112
112
if ( is\_user\_logged\_in() && current\_user\_can('manage\_options') ) {
113
113
add\_action('admin\_menu',array(\_\_CLASS\_\_,'testing\_function'));
114
}
115
}else{
116
if ( is\_user\_logged\_in() && ( current\_user\_can( 'edit\_published\_posts')) && (in\_array('editor',$role) || in\_array('author',$role)) && $ucisettings\['author\_editor\_access'\] == "true" ) {
117
add\_action('admin\_menu',array(\_\_CLASS\_\_,'editor\_menu'));
118
114
}
119
115
}
…
…
386
382
$upload = wp\_upload\_dir();
387
383
$upload\_dir = $upload\['basedir'\];
388
if(!is\_dir($upload\_dir)){
389
return false;
390
}else{
391
$upload\_dir = $upload\_dir . '/smack\_uci\_uploads/imports/';
392
if (!is\_dir($upload\_dir)) {
393
wp\_mkdir\_p( $upload\_dir);
394
}
384
if(!is\_dir($upload\_dir)){
385
return false;
386
}else{
387
$upload\_dir = $upload\_dir . '/smack\_uci\_uploads/imports/';
388
if (!is\_dir($upload\_dir)) {
389
wp\_mkdir\_p($upload\_dir);
390
chmod($upload\_dir, 0755);
391
392
$index\_php\_file = $upload\_dir . 'index.php';
393
if (!file\_exists($index\_php\_file)) {
394
$file\_content = '<?php' . PHP\_EOL . '?>';
395
file\_put\_contents($index\_php\_file, $file\_content);
396
}
397
}
395
398
if($mode != 'CLI')
396
399
{
397
400
chmod($upload\_dir, 0777);
398
401
}
399
$exports\_dir = $upload\['basedir'\] . '/smack\_uci\_uploads/exports/';
400
if (!is\_dir($exports\_dir)) {
402
403
$exports\_dir = $upload\['basedir'\] . '/smack\_uci\_uploads/exports/';
404
if (!is\_dir($exports\_dir)) {
401
405
wp\_mkdir\_p($exports\_dir);
402
406
chmod($exports\_dir, 0755);
…
…
407
411
file\_put\_contents($index\_php\_file, $file\_content);
408
412
}
413
}
414
409
415
return $upload\_dir;
410
416
}
411
417
}
412
if($mode != 'CLI')
413
{
414
chmod($upload\_dir, 0777);
415
}
416
return $upload\_dir;
417
}
418
418
419
419
public function delete\_image\_schedule()
420
420
{
…
…
508
508
loadbasic();
509
509
}
510
}else{
511
if ( is\_user\_logged\_in() && ( current\_user\_can( 'edit\_published\_posts')) && (in\_array('editor',$role) || in\_array('author',$role)) && $ucisettings\['author\_editor\_access'\] == "true" ) {
512
loadbasic();
513
}
514
510
}
515
511
}