Cost Calculator <= 1.8 – Authenticated Local File Inclusion | CVE 2021-24820 | Plugin Vulnerabilities

Description

The plugin allows authenticated users (Contributor+ in versions < 1.5, and Admin+ in versions <= 1.8) to perform path traversal and local PHP file inclusion on Windows Web Servers via the Cost Calculator post's Layout

Proof of Concept

As a contributor, create a Cost Calculator post, set the Layout to /../../../../../../../../../../file (assuming the file to include is at C:\xampp\file.php and WordPress is installed at C:\xampp\htdocs\wordpress). Save as draft, then embde the calculator using the related shortcode (e.g [nd_cost_calculator id="806"]) and preview the post to trigger the LFI.

Affects Plugins

No known fix

References

CVE

Classification

Type

LFI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

apple502j

Submitter

apple502j

Verified

Yes

WPVDB ID

47652b24-a6f0-4bbc-834e-496b88523fe7

Timeline

Publicly Published

2022-02-01 (about 2 years ago)

Added

2022-02-01 (about 2 years ago)

Last Updated

2022-05-24 (about 1 years ago)

Other

Published

Title

Published

2023-04-18

Title

YARPP - Yet Another Related Posts Plugin < 5.30.5 - Subscriber+ LFI

Published

2015-08-02

Title

simple-image-manipulator <= 1.0 - Remote File Download

Published

2014-08-01

Title

Browser Rejector - Remote & Local File Inclusion

Published

2024-04-22

Title

Sendinblue for WooCommerce < 4.0.18 - Authenticated (Editor+) Arbitrary File Download and Deletion

Published

2022-01-31

Title

Essential Addons for Elementor < 5.0.5 - Unauthenticated LFI