István Márton
August 16, 2024

10,000 WordPress Sites Affected by Arbitrary File Read and Delete Vulnerability in InPost PL and InPost for WooCommerce WordPress Plugins

📢 Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Through October 14th, researchers can earn up to $31,200, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. 

On June 25th, 2024, during the 0-day Threat Hunt Promo of our Bug Bounty Program, we received a submission for an Arbitrary File Read and Delete vulnerability in the InPost PL and InPost for WooCommerce WordPress plugins with over 7,000 and 3,000 active installations. This vulnerability makes it possible for unauthenticated threat actors to read and delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible.

Props to 1337_Wannabe who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $450.00 for this discovery during the 0-day Threat Hunt Promo. Our mission is to Secure the Web, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure, which ultimately makes the entire web more secure.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Local File Inclusion protection.

We provided full disclosure details to the Inspire Labs Team on July 4, 2024, and on July 10, 2024. The developer released a patch on July 10, 2024 for the InPost PL plugin, and removed the InPost for WooCommerce plugin from the repository on August 8, 2024.

We urge users to update their sites with the latest patched version of InPost PL, which is version 1.4.5, as soon as possible. We also recommend that users who are still using the removed InPost for WooCommerce plugin delete it from their sites and install the InPost PL plugin instead.

Vulnerability Summary from Wordfence Intelligence

Description: InPost for WooCommerce <= 1.4.0 and InPost PL <= 1.4.4 – Missing Authorization to Unauthenticated Arbitrary File Read and Delete
Affected Plugins: InPost PL, InPost for WooCommerce
Plugin Slugs: inpost-for-woocommerce, woo-inpost
Affected Versions: <= 1.4.4 (for InPost PL), <= 1.4.0 (for InPost for WooCommerce)
CVE ID: CVE-2024-6500
CVSS Score: 10.0 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H
Researcher/s: 1337_Wannabe
Fully Patched Version: 1.4.5 (for InPost PL)
Bounty Award: $450.00

The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the ‘parse_request’ function in all versions up to, and including, 1.4.0 (for InPost for WooCommerce) as well as 1.4.4 (for InPost PL). This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress install will be deleted, but all files can be read.

Technical Analysis

InPost for WooCommerce plugin and InPost PL plugin are WordPress plugins, which integrate WooCommerce with InPost services.

Examining the code reveals that the plugin uses the parse_request() function in the EasyPack_Helper class to download easypack stickers file in PDF format.

public function parse_request( &$wp ) {
	if ( array_key_exists( 'easypack_download', $wp->query_vars ) ) {
		if ( isset( $_GET['easypack_parcel_machines_stickers'] )
		     && $_GET['easypack_parcel_machines_stickers'] == '1'
		) {
			EasyPack_Shippng_Parcel_Machines::get_stickers();
		}
		if ( isset( $_GET['easypack_file'] ) ) {
			$temp_dir = trailingslashit( get_temp_dir() );
			$file     = $temp_dir . sanitize_text_field( $_GET['easypack_file'] );
			$this->get_file( $file,
				__( 'stickers', 'woocommerce-inpost' ) . '_' . time()
				. '.pdf', 'application/pdf' );
		}

		exit;
	}
}
public function get_file( $file, $file_name, $content_type = '' ) {

	header( 'Content-type: ' . $content_type );
	header( 'Content-Disposition: attachment; filename="' . $file_name
	        . '"' );
	header( 'Content-Transfer-Encoding: binary' );
	header( 'Content-Length: ' . filesize( $file ) );
	header( 'Accept-Ranges: bytes' );

	@readfile( $file );

	unlink( $file );

}

Unfortunately, the file parameter is not properly sanitized. The file’s content is read with the readfile() function for download, and then it is immediately deleted with the unlink() function.

This means that attackers can specify any file on the server to be read and then subsequently deleted. This makes it possible for the attacker to read and delete any arbitrary file on the server, including the site’s wp-config.php file. Deleting wp-config.php forces the site into a setup state, allowing an attacker to take control by connecting it to a database under their control. Once an attacker has taken control by connecting their database, they have effectively taken over the WordPress instance and can further infect the victim through the filesystem and maintain persistence by installing additional plugins and/or modifying plugin and theme files.

Disclosure Timeline

June 25, 2024 – We received the submission of the Arbitrary File Read and Delete vulnerability in InPost PL via the Wordfence Bug Bounty Program.
July 4, 2024 – We validated the report and confirmed the proof-of-concept exploit.
July 4, 2024 – We initiated contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
July 4, 2024 – The vendor confirmed the inbox for handling the discussion.
July 6, 2024 – We sent over the full disclosure details. The vendor acknowledged the report and began working on a fix.
July 10, 2024 – The fully patched version of the InPost PL plugin, 5.0.4, is released.
August 8, 2024 – The InPost for WooCommerce plugin is removed from the WordPress.org repository.

Conclusion

In this blog post, we detailed an Arbitrary File Read and Delete vulnerability within the InPost PL plugin affecting versions 1.4.4 and earlier, and within the InPost for WooCommerce plugin affecting versions 1.4.0 and earlier. This vulnerability allows unauthenticated threat actors to read and delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. The vulnerability has been fully addressed in version 1.4.5 of the InPost PL plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of InPost PL, and delete the InPost for WooCommerce plugin from their sites.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Trust Your Site
to the Leader in WordPress Security

Wordfence Security includes an endpoint firewall, malware scanner, robust login security features, live traffic views, and more. Discover why over 5 million WordPress sites put their trust in Wordfence.

Protect Your Site

Did you enjoy this post? Share it!

LinkedIn 

Comments

No Comments

Breaking WordPress Security Research in your inbox as it happens.

Example of a news story

This site uses cookies in accordance with our Privacy Policy.