CVE-2018-8710 in Products Filter Plugin
Summary
by MITRE
A remote code execution issue was discovered in the WooCommerce Products Filter (aka WOOF) plugin before 2.2.0 for WordPress, as demonstrated by the shortcode parameter in a woof_redraw_woof action. The plugin implemented a page redraw AJAX function accessible to anyone without any authentication. WordPress shortcode markup in the "shortcode" parameters would be evaluated. Normally unauthenticated users can't evaluate shortcodes as they are often sensitive.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/13/2020
The vulnerability CVE-2018-8710 represents a critical remote code execution flaw in the WooCommerce Products Filter plugin, specifically affecting versions prior to 2.2.0. This issue resides within the plugin's AJAX handling mechanism, where the woof_redraw_woof action exposes a dangerous pathway for unauthenticated attackers to execute arbitrary code on affected WordPress installations. The vulnerability stems from the plugin's improper handling of user input within the shortcode parameter, creating a direct code injection vector that bypasses standard WordPress security controls.
The technical exploitation occurs through the plugin's page redraw AJAX function, which lacks proper authentication checks and validation mechanisms. When an attacker submits a malicious shortcode parameter through the woof_redraw_woof action, the plugin processes this input without adequate sanitization or authorization verification. This design flaw allows any remote user to trigger the evaluation of WordPress shortcode markup, which normally requires authentication or specific permissions to execute. The vulnerability essentially transforms an otherwise restricted functionality into an unrestricted code execution interface, making it particularly dangerous for publicly accessible web applications.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with complete control over affected WordPress installations. An attacker can leverage this vulnerability to install malicious plugins, modify existing content, steal sensitive data, or establish persistent backdoors within the compromised environment. The lack of authentication requirements means that exploitation can occur without any prior access credentials, making this vulnerability particularly attractive to automated attack tools and malicious actors seeking to compromise multiple WordPress sites simultaneously. This type of vulnerability directly aligns with attack patterns described in the attack technique T1059.001 for command and scripting interpreter and T1078.004 for valid accounts, as it enables attackers to execute arbitrary commands through legitimate WordPress functionality.
Security professionals should note that this vulnerability demonstrates poor input validation and authentication practices that violate several security principles outlined in the CWE database. Specifically, it relates to CWE-20, which covers improper input validation, and CWE-863, which addresses incorrect authorization. The vulnerability also maps to ATT&CK technique T1190 for exploit public-facing application, as it exploits a publicly accessible interface without requiring privileged access. Organizations running affected versions of the WooCommerce Products Filter plugin should immediately implement mitigation strategies including plugin updates, firewall rules to block malicious AJAX requests, and monitoring for suspicious shortcode parameter usage patterns. The remediation process must include comprehensive security audits of all installed plugins to identify similar authentication bypass vulnerabilities that could potentially exist in other third-party components.