WordPress Plugin Vulnerabilities

Orders Tracking for WooCommerce < 1.2.6 - Admin+ Arbitrary File Access/Read

Description

The plugin doesn't validate the file_url parameter when importing a CSV file, allowing high privilege users with the manage_woocommerce capability to access any file on the web server via a Traversal attack. The content retrieved is however limited to the first line of the file.

Proof of Concept

As an admin, open the following URL

https://example.com/wp-admin/admin.php?page=woo-orders-tracking-import-csv&step=mapping&file_url=/etc/passwd

Change the file_url parameter to a file on the web server and observe that the plugin will display the first line of the file in each of the "Column name" dropdowns.

Affects Plugins

Plugin icon
woo-orders-tracking
Fixed in 1.2.6

References

CVE
CVE-2023-4216

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
4.1 (medium)

Miscellaneous

Original Researcher
Utkarsh Agrawal
Submitter
Utkarsh Agrawal
Submitter website
https://smart7.in
Submitter twitter
agrawalsmart7
Verified
Yes
WPVDB ID
8189afc4-17b3-4696-89e1-731011cb9e2b

Timeline

Publicly Published
2023-08-14 (about 3 months ago)
Added
2023-08-14 (about 3 months ago)
Last Updated
2023-08-14 (about 3 months ago)

Other

Published
Title
Published
2022-08-29
Title
WPvivid Backup 0.9.76 - Admin+ Arbitrary File Deletion
Published
2023-01-23
Title
Customer Reviews for WooCommerce < 5.16.0 - Contributor+ LFI
Published
2015-09-30
Title
mTheme Unus < 2.3 - Directory Traversal
Published
2023-11-21
Title
Quttera Web Malware Scanner < 3.4.2.1 - Admin+ Path Traversal
Published
2017-10-20
Title
Multiple Plugins - jQueryFileTree - Unauthenticated Path Traversal