Multiple Plugins – jQueryFileTree – Unauthenticated Path Traversal | CVE 2017-1000170

Description

Since no authentication or authorisation checks for direct access to the jqueryFileTree.php are made, the vulnerability allows for browsing the file system on a host out of an unauthenticated context. Even though no file content can be exfiltrated this way, "hidden" files e.g. in the web directories could easily enumerated this way. E.g. this could be abused for a "file path/name leakage" in another exploitation chain.

Proof of Concept

curl 'https://example.com/wp-content/plugins/wp-lister-amazon/js/jqueryFileTree/connectors/jqueryFileTree.php' -d "dir=../../"

Affects Plugins

wp-lister-ebay

Fixed in 2.0.21

wp-lister-amazon

Fixed in 0.9.6.36

References

CVE

CVE-2017-1000170

URL

https://github.com/jqueryfiletree/jqueryfiletree/issues/66

URL

https://www.wplab.com/plugins/wp-lister/changelog/

URL

https://www.wplab.com/plugins/wp-lister-for-amazon/changelog/

Classification

Type

TRAVERSAL

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

5.3 (medium)

Miscellaneous

Submitter

Robert Wiggins

Submitter twitter

random_robbie

Verified

WPVDB ID

37266611-1923-4fa8-8d9d-9439593051e8

Timeline

Publicly Published

2017-10-20 (about 8 years ago)

Added

2020-10-20 (about 5 years ago)

Last Updated

2020-10-21 (about 5 years ago)

Other

Published

Title

Published

2023-03-20

Title

All-In-One Security (AIOS) < 5.1.5 - Admin+ Arbitrary File/Folder Access via Traversal

Published

2025-09-03

Title

atec Debug < 1.2.23 - Admin+ Arbitrary File Deletion

Published

2020-03-13

Title

WordPress File Upload < 4.13.0 - Directory Traversal to RCE

Published

2022-09-14

Title

Enable Media Replace < 4.0.0 - Admin+ Path Traversal

Published

2021-07-29

Title

WordPress Download Manager < 3.1.25 - Authenticated Directory Traversal