WordPress Team Members Showcase < 4.1.2 – Subscriber+ Arbitrary File Read and Deletion | CVE 2022-2557

Description

The plugin contains a file which could allow any authenticated users to download arbitrary files from the server via a path traversal vector. Furthermore, the file will also be deleted after its content is returned to the user

Proof of Concept

https://example.com/wp-content/plugins/tlp-team/resources/download.php?file=../../../../test.txt

Affects Plugins

tlp-team

Fixed in 4.1.2

References

CVE

CVE-2022-2557

Classification

Type

TRAVERSAL

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

9.6 (critical)

Miscellaneous

Original Researcher

Nhật Nam

Submitter

nhatnam

Submitter website

https://www.linkedin.com/in/nhat-nam-dinh-14a6a2208/

Verified

Yes

WPVDB ID

c043916a-92c9-4d02-8cca-1a90e5382b7e

Timeline

Publicly Published

2022-07-27 (about 3 years ago)

Added

2022-07-27 (about 3 years ago)

Last Updated

2023-04-25 (about 2 years ago)

Other

Published

Title

Published

2021-12-01

Title

OMGF < 4.5.12 - Admin+ Arbitrary Folder Deletion via Path Traversal

Published

2019-05-23

Title

Simple File List Plugin <= 3.2.4 - Authenticated Arbitrary File Delete

Published

2022-10-28

Title

Ultimate Member < 2.5.1 - Admin+ RCE

Published

2021-01-15

Title

Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download

Published

2022-09-05

Title

Download Manager < 3.2.55 - Admin+ Arbitrary File/Folder Access via Path Traversal