Attack Chain

1. An attacker registers an account on the WordPress site if one does not exist.
2. The attacker identifies the delete_export_file AJAX action as a target for manipulation.
3. The attacker crafts a POST request to wp-admin/admin-ajax.php with the action set to delete_export_file.
4. The POST request includes a filename parameter containing a path traversal sequence, such as ../../../../wp-config.php.
5. The server-side code, lacking proper input validation, processes the request and attempts to delete the file specified by the crafted filename.
6. Due to the path traversal, the server deletes a file outside of the intended export directory.
7. If the attacker successfully targets critical files like wp-config.php, the WordPress site may become unstable or inaccessible.

Impact

Successful exploitation of this vulnerability can lead to arbitrary file deletion on the server hosting the WordPress site. An attacker could delete critical configuration files like wp-config.php, rendering the website unusable. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high severity. While the provided source doesn’t list specific victim counts or sectors, the widespread use of WooCommerce makes this vulnerability a significant threat.

Recommendation

• Upgrade to a patched version of the WooCommerce CSV Importer that addresses the path traversal vulnerability (CVE-2018-25325).
• Implement the provided Sigma rule “Detect CVE-2018-25325 Exploitation — WooCommerce CSV Importer Path Traversal” to detect malicious POST requests attempting to exploit this vulnerability.
• Monitor web server logs for POST requests to wp-admin/admin-ajax.php with the delete_export_file action and filenames containing directory traversal sequences (../) to identify potential exploitation attempts.