Delightful Downloads <= 1.6.6 – Unauthenticated Path Traversal | CVE 2017-1000170

Description

Since no authentication or authorisation checks for direct access to the jqueryFileTree.php are made, the vulnerability allows for browsing the file system on a host out of an unauthenticated context. Even though no file content can be exfiltrated this way, "hidden" files e.g. in the web directories could easily enumerated this way. E.g. this could be abused for a "file path/name leakage" in another exploitation chain.

Edit (WPScanTeam):
- The issue was first discovered and reported to the authors by ambulong in 2017 - https://github.com/A5hleyRich/delightful-downloads/issues/165, but was never fixed.
- The issue has been escalated to WP plugin team on June 9th, 2020.

Proof of Concept

curl --data "dir=/etc/" http://example.com/wp-content/plugins/delightful-downloads/assets/vendor/jqueryFileTree/connectors/jqueryFileTree.php

Affects Plugins

delightful-downloads

No known fix

References

CVE

CVE-2017-1000170

URL

https://github.com/A5hleyRich/delightful-downloads/issues/165

Classification

Type

TRAVERSAL

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

5.3 (medium)

Miscellaneous

Original Researcher

ambulong (in 2017), Florian Hauser (rediscovery in 2020)

Submitter twitter

frycos

Verified

Yes

WPVDB ID

4841813b-9452-4187-ad5a-efb79f0abb05

Timeline

Publicly Published

2017-05-11 (about 8 years ago)

Added

2020-06-10 (about 5 years ago)

Last Updated

2020-06-11 (about 5 years ago)

Other

Published

Title

Published

2025-10-30

Title

WordPress User Extra Fields < 16.8 - Subscriber+ Arbitrary File Deletion

Published

2018-10-27

Title

ARForms < 3.5.2 - Unauthenticated Arbitrary File Deletion

Published

2024-03-04

Title

File Manager And File Manager Pro (Multiple Versions) - Directory Traversal

Published

2024-06-24

Title

WordPress < 6.5.5 - Contributor+ Path Traversal in Template-Part Block

Published

2022-10-28

Title

Ultimate Member < 2.5.1 - Admin+ LFI via Traversal