WordPress Plugin Vulnerabilities

Contact Forms - Drag & Drop Contact Form Builder <= 1.0.5 - Admin+ Arbitrary System File Read

Description

The plugin allows high privilege users to download arbitrary files from the web server via a path traversal attack

Proof of Concept

1) Create a new form with a file upload field.
2) Upload a file to the form created.
3) View the submission in the "All submissions" page and click "Show"
3) Under "File Attachments" you should see the file you uploaded
4) Right-click on the file and copy the url
5) Now paste the url in a new window
6) Change the "&file=" content from the file you uploaded to "../../../../../../../../../../../etc/passwd"
7) The browser will be prompted to download the file.

Affects Plugins

Plugin icon
lastform
No known fix

References

CVE
CVE-2021-24689

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Davide Taraschi
Submitter
Davide Taraschi
Submitter website
https://davidet.altervista.org
Verified
Yes
WPVDB ID
31824250-e0d4-4285-97fa-9880b363e075

Timeline

Publicly Published
2021-09-27 (about 2 years ago)
Added
2022-01-26 (about 2 years ago)
Last Updated
2022-04-13 (about 2 years ago)

Other

Published
Title
Published
2022-03-01
Title
WordPress File Upload < 4.16.3 - Contributor+ Path Traversal to RCE
Published
2023-09-26
Title
Welcart e-Commerce < 2.8.22 - Author+ Path Traversal
Published
2019-05-23
Title
Simple File List Plugin <= 3.2.4 - Authenticated Arbitrary File Delete
Published
2020-03-13
Title
WordPress File Upload < 4.13.0 - Directory Traversal to RCE
Published
2022-10-31
Title
Booster for WooCommerce - ShopManager+ Arbitrary File Download