WordPress Plugin Vulnerabilities

Direct Download for WooCommerce <= 1.15 - Unauthenticated LFI

Description

The directdownload WordPress plugin was affected by an Unauthenticated LFI security vulnerability.

Affects Plugins

Plugin icon
directdownload
No known fix

References

URL
http://www.diegoceldran.es/how-to-use-exploit-remote-lfi-for-direct-download-for-woocommerce-up-to-v1-15/
URL
https://seclists.org/fulldisclosure/2017/Jan/39
URL
https://codecanyon.net/item/direct-download-for-woocommerce/6320429

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
b4c73a7a-1a14-4e99-a869-59aa187a5555

Timeline

Publicly Published
2017-01-17 (about 9 years ago)
Added
2017-01-18 (about 9 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2024-07-03
Title
Elementor Addons by Livemesh < 8.4.1 - Authenticated (Contributor+) Limited Local File Inclusion via Widgets
Published
2014-08-01
Title
Payment Gateways Caller for WP e-Commerce 0.1.0 - load_merchant Parameter Traversal Local file Inclusion
Published
2026-01-06
Title
Flashcard Plugin for WordPress <= 0.9 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal
Published
2025-03-19
Title
Event Manager, Events Calendar, Tickets, Registrations – Eventin < 4.0.25 - Authenticated (Contributor+) Local File Inclusion
Published
2024-05-13
Title
JCH Optimize < 4.2.1 - Authenticated (Subscriber+) Directory Traversal