WordPress Plugin Vulnerabilities
Download Plugin < 2.0.0 - Subscriber+ Website Download
Description
The plugins does not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of the website.
Proof of Concept
PoC: jQuery.post(ajaxurl,{ action:"dpwap_plugin_download_url", pluginData:"..\\..\\..\\wordpress" }) Warning: this will make a zip of the whole installation and takes a few minutes. The result is available at https://example.com/wordpress.zip and the zip file contains all files under the installation directory including wp-config.php.
Affects Plugins
References
CVE
Classification
Type
TRAVERSAL
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2021-11-11 (about 2 years ago)
Added
2022-11-02 (about 1 years ago)
Last Updated
2022-11-02 (about 1 years ago)