Arbitrary Shortcode Execution & Local File Inclusion In WOOF (PluginUs.Net)


Arbitrary Shortcode Execution & Local File Inclusion


WOOF - WooCommerce Products Filter (PluginUs.Net)

Vulnerable Version


Fixed Version


CVE Number







Ahmad Ramadhan Amizudin (Office Kuala Lumpur) | SEC Consult Vulnerability Lab

Multiple vulnerabilies have been identified in WooCommerce Products Filter version 1.1.9. An unauthenticated user can perform a local file inclusion and execute arbitrary wordpress shortcode.

Vendor Description

“PluginUs.Net is a little team of talented professionals from Ukraine. Unlike most of the big companies on the net, we believe in individual approach to every our customer. Web development is our passion and we always try to go an extra mile over our clients’ expectations.

Our team specializes in development of WordPress plugins. It’s always exciting to try new technologies and approaches to get the project done and impress clients by realization of their ideas!”


Business Recommendation

SEC Consult recommends to ugprade to the latest version available as soon as possible. Further detailed security tests should be performed in order to identify potential other security issues.

Vulnerability Overview/ Description

1. Arbitrary Shortcode Execution

The plugin implemented a page redraw AJAX function accessible to anyone without any authentication.

WordPress shortcode markup in the “shortcode” parameters would be evaluated. Normally unauthenticated users can’t evaluate shortcodes as they are often sensitive.

Additionally, it is noted that there are other implemented shortcodes that are being used in this plugin which can be abused through the same attack. Worst, some of them could lead to remote code execution.

2. Local File Inclusion

The vulnerability is due to the lack of args/input validation on render_html before allowing it to be called by extract(), a PHP built-in function. Because of this, the supplied args/input can be used to overwrite the $pagepath variable which then could lead to local file inclusion attack.

Proof Of Concept

1. Arbitrary Shortcode Execution

The parameter “shortcode” within the “admin-ajax.php” script is affected by the code execution vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
action=woof_redraw_woof&shortcode=<<shortcode without []>>

2. Local File Inclusion

The parameter “shortcode” within the “admin-ajax.php” script is affected by the local file inclusion vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
action=woof_redraw_woof&shortcode=woof_search_options pagepath=/etc/passwd

Vulnerable / Tested Versions

PluginUs.Net WooCommerce Products Filter version 1.1.9 has been tested and found to be vulnerable.

Vendor Contact Timeline Solution

2018-02-20: Contacting vendor through
2018-02-20: Vendor agreed to proceed without encrypted channel
2018-02-21: Sent security advisory to vendor
2018-02-26: Vendor sent patch containing the fixes
2018-02-26: Informed vendor the patch doesn’t fully mitigate the vulnerability
2018-03-12: Request update from vendor
2018-03-12: Vendor said they already published the patch
2018-03-14: Public release of security advisory


The vendor provides an updated version and users are urged to upgrade to version 2.2.0



Advisory URL


EOF Ahmad Ramadhan / @2018


Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.