WordPress Plugin Vulnerabilities

Video Downloader for TikTok < 1.4 - Server Side Request Forgery (SSRF) & Local File Inclusion (LFI)

Description

The plugin is vulnerable to SSRF or LFI attacks via the njt-tk-download-video parameter sent by the user not being properly sanitized before used in code.

Affects Plugins

Plugin icon
downloader-tiktok
Fixed in 1.4

References

CVE
CVE-2020-24142
CVE
CVE-2020-24143
URL
https://github.com/secwx/research/blob/main/cve/CVE-2020-24143.md
URL
https://github.com/secwx/research/blob/main/cve/CVE-2020-24142.md

Miscellaneous

Original Researcher
Suzhou Aurora Infinity Information Technology Co., Ltd
Verified
Yes
WPVDB ID
5849a5c0-9705-45b4-80f6-81a194c9664a

Timeline

Publicly Published
2021-04-13 (about 4 years ago)
Added
2021-07-09 (about 4 years ago)
Last Updated
2022-04-12 (about 3 years ago)

Other

Published
Title
Published
2020-01-27
Title
CarSpot < 2.2.3 - Multiple Vulnerabilities
Published
2020-03-24
Title
Data Tables Generator By Supsystic < 1.9.92 - CSRF to Stored XSS, Data Table Creations, Settings Modification
Published
2014-08-01
Title
Leaflet Maps Marker - Multiple security issues
Published
2020-06-15
Title
KingComposer < 2.9.4 - Multiple Critical Issues
Published
2016-05-13
Title
WP Editor < 1.2.6 - CSRF & Incorrect Permissions