• caglararli@hotmail.com
  • 05386281520

How can a vulnerable function can be a exploited by a non-logged user if it only called in the WP admin section of a plugin?

Çağlar Arlı      -    21 Views

How can a vulnerable function can be a exploited by a non-logged user if it only called in the WP admin section of a plugin?

I manage many WordPress websites and often encounter vulnerabilities related to WordPress plugins. However, I always wonder how these vulnerabilities can be exploited. I am not looking to exploit them myself or asking you to write any exploit. I am simply curious about how they work. Some vulnerabilities are described as "can be used remotely," but I don't understand how they can be leveraged by someone who has no access to the server host.

Example with this vulnerability :

https://nvd.nist.gov/vuln/detail/CVE-2024-7257

They write :

#################################################

The YayExtra – WooCommerce Extra Product Options plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_upload_file function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

######################################

You can find more about that kind of vulnerabilty here : https://cwe.mitre.org/data/definitions/434.html

How can a non-logged remote user call this function if they can't upload any PHP file or code? There are many vulnerabilities of this kind, marked as "can be used remotely by non-authenticated users," and I don't understand how. At the very least, you should have access to the admin to use the plugin.

Thanks