File Uploads Addon for WooCommerce <= 1.7.3 - Missing Authorization
Description
The File Uploads Addon for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.7.3What Changed in the Fix
Changes introduced in v1.7.4
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-24625 (Missing Authorization in File Uploads Addon for WooCommerce) ## 1. Vulnerability Summary The **File Uploads Addon for WooCommerce** plugin (versions <= 1.7.3) contains a missing authorization vulnerability in its file download handling logic. The plugin…
Show full research plan
Exploitation Research Plan: CVE-2026-24625 (Missing Authorization in File Uploads Addon for WooCommerce)
1. Vulnerability Summary
The File Uploads Addon for WooCommerce plugin (versions <= 1.7.3) contains a missing authorization vulnerability in its file download handling logic. The plugin registers an admin_post action named wau_secure_download for both authenticated and unauthenticated (nopriv) users. This action points to the wau_secure_file_download function in the wau_front_end_class. Because this function lacks a capability check (e.g., current_user_can( 'manage_options' )) or ownership validation, any unauthenticated user can trigger the download of files uploaded by other customers by providing the appropriate file path or URL parameter.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-post.php - Action:
wau_secure_download - Hook (Authenticated):
admin_post_wau_secure_download - Hook (Unauthenticated):
admin_post_nopriv_wau_secure_download(Vulnerable Entry Point) - HTTP Method:
GET(typically used for download links) - Parameters:
action=wau_secure_downloadwau_file_url(Inferred based on plugin naming conventions andwau_add_item_meta_urlfunction)
- Authentication: None required (unauthenticated).
3. Code Flow
- Entry Point: An unauthenticated user sends a request to
wp-admin/admin-post.php?action=wau_secure_download&wau_file_url=.... - Hook Registration: In
includes/class-wau-front-end.php, the__constructmethod ofwau_front_end_classregisters the action:add_action( 'admin_post_wau_secure_download', array( $this, 'wau_secure_file_download' ) ); add_action( 'admin_post_nopriv_wau_secure_download', array( $this, 'wau_secure_file_download' ) ); - Execution: WordPress triggers the
wau_secure_file_downloadmethod. - Vulnerable Sink: The
wau_secure_file_downloadfunction (located inincludes/class-wau-front-end.php) fails to verify if the requesting user has themanage_woocommercecapability or if the user is the owner of the order associated with the file. - Output: The function reads the file path from the request and pipes the file content to the browser using
readfile()or similar, allowing unauthorized access to customer-uploaded images/documents.
4. Nonce Acquisition Strategy
While admin_post handlers should use nonces for CSRF protection, the "Missing Authorization" nature of this vulnerability often implies the handler is completely open. If a nonce is required, it is likely the one generated for the "secure" link in the order metadata.
However, if the plugin enqueues a nonce for its front-end actions, it would be localized via wau_front_end_scripts_js.
- Search for Nonce: Use
grep -r "wp_create_nonce" includes/to find if a specific nonce is used for downloads. - Product Page Nonce: The product page contains a nonce for uploading:
wau_file_upload.- Variable:
wau_file_upload_nonce - Action:
wau_file_upload
- Variable:
- Strategy: If the download handler requires a nonce, first navigate to a product page where the addon is active, and extract the nonce using:
browser_eval("document.querySelector('#wau_file_upload_nonce')?.value")
5. Exploitation Strategy
Step 1: Discover Parameters
Since the source for wau_secure_file_download is truncated, use the grep tool to find the parameter used for the file path:
grep -n "wau_secure_file_download" includes/class-wau-front-end.php -A 20
Identify if it uses $_GET['wau_file_url'], $_GET['filepath'], or similar.
Step 2: Create Test Data
- Enable the addon in settings:
wp option update wau_addon_settings '{"wau_enable_addon":"1"}' --format=json - Create a product:
wp post create --post_type=product --post_title="Upload Product" --post_status=publish - As a visitor, navigate to the product and upload a file named
secret_receipt.jpg. - Note the location. Files are typically stored in
wp-content/uploads/wau-uploads/.
Step 3: Trigger Unauthorized Download
Using the http_request tool, perform an unauthenticated GET request to admin-post.php.
Request Structure (Example):
GET /wp-admin/admin-post.php?action=wau_secure_download&wau_file_url=http://localhost:8080/wp-content/uploads/wau-uploads/secret_receipt.jpg HTTP/1.1
Host: localhost:8080
Note: The wau_file_url might be a relative path or an encrypted string. If it's a path, try directory traversal (e.g., ../../../../wp-config.php) if the plugin fails to sanitize the input.
6. Test Data Setup
- Plugin Settings: Ensure
wau_enable_addonis set to1in thewau_addon_settingsoption. - Product: Create a product with ID
123. - Upload: Perform a multipart/form-data POST to the product page with a file in the
wau_file_addonfield and thewau_file_upload_noncefound in the HTML. - Capture File Path: Check the
wp_wau_uploadsdatabase table (if it exists) or thewoocommerce_order_itemmetatable to find the file path/URL generated for an order.
7. Expected Results
- Success: The server responds with
HTTP 200 OKand the binary content of the file (e.g.,Content-Type: image/jpeg). - Failure: The server responds with
HTTP 403 Forbidden,HTTP 302redirecting to login, or an "Unauthorized" error message.
8. Verification Steps
- Check Content: Verify that the downloaded file content matches the file uploaded during setup.
- Verify Unauthenticated: Ensure the
http_requestdoes not include any session cookies (wordpress_logged_in_*). - Check Capability: After patching, the same request should fail for non-admin users.
9. Alternative Approaches
- Path Traversal: If
wau_secure_file_downloaduses a raw file path in a parameter likefile=..., try accessing/etc/passwdorwp-config.php. - Insecure Direct Object Reference (IDOR): If the plugin uses an ID (e.g.,
?action=wau_secure_download&id=45), iterate through IDs to download all uploaded files in the system. - Nonce Bypass: If the handler checks
wp_verify_nonce( $_GET['nonce'], -1 ), any nonce generated with the default action-1(found in various WP pages) will satisfy the check. (Checkincludes/class-wau-front-end.phpfor the specificwp_verify_noncecall).
Summary
The File Uploads Addon for WooCommerce plugin fails to perform authorization or nonce validation in its file download handler. This allows unauthenticated attackers to download any file uploaded by customers (such as receipts or personal images) by directly accessing the admin-post.php endpoint with the target filename.
Vulnerable Code
// includes/class-wau-front-end.php line 42 add_action( 'admin_post_wau_secure_download', array( $this, 'wau_secure_file_download' ) ); add_action( 'admin_post_nopriv_wau_secure_download', array( $this, 'wau_secure_file_download' ) ); --- // includes/class-wau-front-end.php line 491 public function wau_secure_file_download() { $getdata = wp_unslash( $_GET ); if ( isset( $getdata['file'] ) /*&& wp_verify_nonce( $getdata['nonce'], 'wau_secure_download' )*/ ) { $file_path = wp_upload_dir()['basedir'] . '/wau-uploads/' . basename( $getdata['file'] ); if ( file_exists( $file_path ) ) { header( 'Content-Description: File Transfer' ); header( 'Content-Type: application/octet-stream' ); header( 'Content-Disposition: attachment; filename="' . basename( $file_path ) . '"' ); header( 'Expires: 0' ); header( 'Cache-Control: must-revalidate' ); header( 'Pragma: public' ); header( 'Content-Length: ' . filesize( $file_path ) ); readfile( $file_path ); exit; } } }
Security Fix
@@ -347,7 +347,7 @@ array( 'action' => 'wau_secure_download', 'file' => esc_html( $addon_id['file_name'] ), - // 'nonce' => wp_create_nonce( 'wau_secure_download' ), + 'nonce' => wp_create_nonce( 'wau_secure_download' ), ), admin_url( 'admin-post.php' ) ); @@ -396,7 +396,7 @@ array( 'action' => 'wau_secure_download', 'file' => esc_html( $addon_id['file_name'] ), - // 'nonce' => wp_create_nonce( 'wau_secure_download' ), + 'nonce' => wp_create_nonce( 'wau_secure_download' ), ), admin_url( 'admin-post.php' ) ); @@ -491,7 +491,20 @@ */ public function wau_secure_file_download() { $getdata = wp_unslash( $_GET ); - if ( isset( $getdata['file'] ) /*&& wp_verify_nonce( $getdata['nonce'], 'wau_secure_download' )*/ ) { + + $has_valid_nonce = ( + isset( $getdata['nonce'] ) && + wp_verify_nonce( $getdata['nonce'], 'wau_secure_download' ) + ); + + $is_admin_allowed = ( + is_user_logged_in() && + current_user_can( 'manage_woocommerce' ) + ); + + // Allow if nonce is valid OR admin user + if ( isset( $getdata['file'] ) && ( $has_valid_nonce || $is_admin_allowed ) ) { + $file_path = wp_upload_dir()['basedir'] . '/wau-uploads/' . basename( $getdata['file'] ); if ( file_exists( $file_path ) ) {
Exploit Outline
The exploit targets the `wau_secure_file_download` function, which is exposed to unauthenticated users via the WordPress admin-post.php API. An attacker can construct a GET request to `/wp-admin/admin-post.php?action=wau_secure_download&file=[FILENAME]` to trigger the download of any file stored in the `wp-content/uploads/wau-uploads/` directory. Since the code uses `basename()`, directory traversal is prevented, but any file within that specific upload directory is accessible without authentication or a valid nonce. No specific headers or session cookies are required for the exploit.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.