YML for Yandex Market < 5.0.26 - Authenticated (Shop Manager+) Remote Code Execution
Description
The YML for Yandex Market plugin for WordPress is vulnerable to Remote Code Execution in all versions up to 5.0.26 (exclusive). This makes it possible for authenticated attackers, with Shop Manager-level access and above, to execute code on the server.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HTechnical Details
<5.0.26What Changed in the Fix
Changes introduced in v5.0.26
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-14545 - YML for Yandex Market RCE ## 1. Vulnerability Summary The **YML for Yandex Market** plugin (versions < 5.0.26) is vulnerable to **Remote Code Execution (RCE)** via an authenticated path. The vulnerability exists because the plugin allows users with `ma…
Show full research plan
Exploitation Research Plan: CVE-2025-14545 - YML for Yandex Market RCE
1. Vulnerability Summary
The YML for Yandex Market plugin (versions < 5.0.26) is vulnerable to Remote Code Execution (RCE) via an authenticated path. The vulnerability exists because the plugin allows users with manage_woocommerce capabilities (Shop Managers and Admins) to modify feed configuration settings, including the file extension and the feed filename, without sufficient sanitization or restriction on the .php extension. By changing the feed extension to .php and injecting PHP code into a field that is exported to the feed (such as a product title or a custom feed header), an attacker can create a malicious PHP file in the WordPress uploads directory and execute arbitrary code.
2. Attack Vector Analysis
- Endpoint:
wp-admin/admin-ajax.phporwp-admin/admin.php?page=yml-for-yandex-market - Action:
y4ym_save_settings(for updating options) andy4ym_run_generation(for triggering feed creation). - Vulnerable Parameters:
y4ym_file_extension: Can be set tophp.y4ym_feed_name: Can be set to a custom filename (e.g.,wp-content/uploads/rce).Product Title: Can be
Summary
The YML for Yandex Market plugin is vulnerable to Remote Code Execution because it allows users with Shop Manager privileges or higher to define arbitrary file extensions for generated product feeds. By setting the feed extension to .php and injecting malicious PHP code into product fields that are exported to the feed, an attacker can create an executable shell on the server.
Vulnerable Code
// includes/feeds/class-yfym-feed-file-meta.php line 74 public function get_feed_extension() { $file_extension = common_option_get( 'y4ym_file_extension', false, $this->get_feed_id(), 'y4ym' ); if ( empty( $file_extension ) ) { $file_extension = 'xml'; } return $file_extension; }
Security Fix
@@ -74,11 +82,11 @@ $file_extension = common_option_get( 'y4ym_file_extension', - false, + 'xml', $this->get_feed_id(), 'y4ym' ); - if ( empty( $file_extension ) ) { + if ( ! in_array( $file_extension, [ 'xml', 'yml', 'csv', 'txt' ] ) ) { $file_extension = 'xml'; } return $file_extension;
Exploit Outline
1. Authenticate to the WordPress admin panel with a Shop Manager or Administrator account. 2. Access the YML for Yandex Market settings page. 3. Modify the 'File extension' setting (`y4ym_file_extension`) to `php` and provide a custom filename in `y4ym_feed_name` (e.g., `backdoor`). 4. Inject a PHP payload into a product field that is included in the feed, such as a Product Title (e.g., `My Product <?php system($_GET['cmd']); ?>`). 5. Trigger the feed generation process manually or wait for the cron job to run. 6. Access the malicious PHP file located at `/wp-content/uploads/backdoor.php` to execute arbitrary commands via the `cmd` parameter.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.