Orders Tracking for WooCommerce < 1.2.6 – Admin+ Arbitrary File Access/Read | CVE 2023-4216 | Plugin Vulnerabilities

Description

The plugin doesn't validate the file_url parameter when importing a CSV file, allowing high privilege users with the manage_woocommerce capability to access any file on the web server via a Traversal attack. The content retrieved is however limited to the first line of the file.

Proof of Concept

As an admin, open the following URL

https://example.com/wp-admin/admin.php?page=woo-orders-tracking-import-csv&step=mapping&file_url=/etc/passwd

Change the file_url parameter to a file on the web server and observe that the plugin will display the first line of the file in each of the "Column name" dropdowns.

Affects Plugins

woo-orders-tracking

Fixed in 1.2.6

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Utkarsh Agrawal

Submitter

Utkarsh Agrawal

Submitter website

https://smart7.in

Submitter twitter

Verified

Yes

WPVDB ID

8189afc4-17b3-4696-89e1-731011cb9e2b

Timeline

Publicly Published

2023-08-14 (about 2 years ago)

Added

2023-08-14 (about 2 years ago)

Last Updated

2023-08-14 (about 2 years ago)

Other

Published

Title

Published

2022-10-28

Title

Ultimate Member < 2.5.1 - Admin+ LFI via Traversal

Published

2022-11-30

Title

Easy WP SMTP < 1.5.2 - Admin+ Arbitrary File Access

Published

2025-10-30

Title

WordPress User Extra Fields < 16.8 - Subscriber+ Arbitrary File Deletion

Published

2015-07-05

Title

S3Bubble <= 0.7 - Directory Traversal leading to Arbitrary File Access

Published

2022-09-15

Title

SearchWP Live Ajax Search < 1.6.3 - Unauthenticated Local File Inclusion