Aspose.Words Exporter < 2.0 – Unauthenticated Arbitrary File Download

Description

The Aspose.Words Exporter WordPress plugin was affected by an Arbitrary File Download security vulnerability.

The aspose_doc_exporter_download.php file of the plugin does not restrict access, check permission or validate the file parameter, allowing unauthenticated user to download any file from the blog (such as the wp-config.php), using a path traversal vector

Proof of Concept

https://example.com/wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=../../../wp-config.php

Affects Plugins

aspose-doc-exporter

Fixed in 2.0

References

Exploitdb

36559

URL

https://packetstormsecurity.com/files/#131167/

URL

https://cxsecurity.com/issue/WLB-2015030204

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter

ethicalhack3r

Verified

WPVDB ID

043aa583-a81d-4565-bf65-83252b8f1f96

Timeline

Publicly Published

2015-03-28 (about 11 years ago)

Added

2015-03-30 (about 11 years ago)

Last Updated

2020-12-29 (about 5 years ago)

Other

Published

Title

Published

2014-08-01

Title

WP Ultimate Email Marketer - Multiple Vulnerabilities

Published

2019-12-25

Title

bbPress Login Register Links On Forum Topic Pages < 2.8.5 - CSRF to Stored XSS

Published

2014-08-06

Title

wpSS <= 0.62 - SQL Injection & XSS

Published

2015-05-29

Title

WP Smiley <= 1.4.1 - CSRF & Cross-Site Scripting (XSS)

Published

2019-06-08

Title

Breadcrumbs by menu < 1.0.3 - Multiple Issues