Vrm 360 3D Model Viewer <= 1.2.1 – Full Path Disclosure | CVE 2023-5177 | Plugin Vulnerabilities

Description

The plugin exposes the full path of a file when putting in a non-existent file in a parameter of the shortcode.

Proof of Concept

1. Create a page
2. Place the shortcode `[vrm360 canvas_name=s1 model_url=SA_Character.zip aspect_ratio=1.8 initial_offset=0.9]` on the page (`SA_Character.zip` should be a non-existent file)
3. Publish page
4. Visit the page and see the full path disclosure in the browser's console.

Affects Plugins

No known fix

References

CVE

Classification

Type

FPD

OWASP top 10

A6: Security Misconfiguration

CWE

CVSS

Miscellaneous

Original Researcher

Jonatas Souza Villa Flor

Submitter

Jonatas Souza Villa Flor

Submitter website

https://decriptosec.com/

Submitter twitter

Verified

Yes

WPVDB ID

a67b9c21-a35a-4cdb-9627-a5932334e5f0

Timeline

Publicly Published

2023-09-25 (about 2 years ago)

Added

2023-09-25 (about 2 years ago)

Last Updated

2023-09-25 (about 2 years ago)

Other

Published

Title

Published

2014-08-01

Title

Jigoshop 1.8 - Multiple Script Direct Request Path Disclosure

Published

2025-02-17

Title

BigBuy Dropshipping Connector for WooCommerce < 2.0.1 - Unauthenticated Full Path Disclosute

Published

2019-10-16

Title

Fast Velocity Minify < 2.7.7 - Full Path Disclosure

Published

2014-08-01

Title

Studio Zen - Multiple Script Direct Request Path Disclosure

Published

2014-08-01

Title

DZS Video Gallery 3.1.3 - Remote File Disclosure