WordPress Plugin Vulnerabilities

Add From Server <= 3.3.3 - Authenticated Path Traversal to Arbitrary File Access

Description

An authenticated attacker with low permission can read arbitrary files on server using Path Traversal.

The plugin author states that this is by design and that the plugin should not be used. Please refer to the references.

Proof of Concept

Affects Plugins

Plugin icon
add-from-server
No known fix

References

URL
https://medium.com/@hoanhp/0-day-story-3-add-from-server-b06244c1ea6b
URL
https://wordpress.org/support/topic/path-traversal-lead-to-arbitrary-file-reading/

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.7 (high)

Miscellaneous

Original Researcher
HoanHP
Submitter
hoan
Submitter website
https://medium.com/@hoanhp/
Submitter twitter
HoanHP
Verified
No
WPVDB ID
17d1f19b-a550-4eba-94be-942a96a0d6c8

Timeline

Publicly Published
2020-08-11 (about 5 years ago)
Added
2020-09-06 (about 5 years ago)
Last Updated
2020-09-21 (about 5 years ago)

Other

Published
Title
Published
2022-10-28
Title
Ultimate Member < 2.5.1 - Admin+ LFI via Traversal
Published
2012-01-16
Title
myEASYbackup <= 1.0.8.1 - Directory Traversal
Published
2021-01-15
Title
Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
Published
2022-08-29
Title
WPvivid Backup 0.9.76 - Admin+ Arbitrary File Deletion
Published
2014-09-20
Title
W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated Arbitrary File Read