WordPress File Sharing Plugin < 2.0.5 – Subscriber+ Sensitive Data and Files Exposure via IDOR | CVE 2023-4836 | Plugin Vulnerabilities

Description

The plugin does not check authorization before displaying files and folders, allowing users to gain access to those filed by manipulating IDs which can easily be brute forced

Proof of Concept

1. Create a private folder that contains a file that you intend keep secret.
2. Add the plugin shortcode `[upf_manager]` to a post.
3. Access a file that you have access to and intercept the request.
4. Manipulate the `doc_id` to contain the number of of a file that you want to access (this will be random), for example: `doc_5712`
5. See that the response discloses the file when the user doesn't have access to it: `{"doc_ttl":"secret-image.jpg","doc_src":"https:\/\/example.com\/wp-content\/uploads\/upf-docs\/usr1_1694106985_secret-image.jpg","doc_desc":"","file_type":"img","cmnts_html":"","author":"admin@example.com"}`
6. The file can then be directly downloaded.

Note: The `fldr_id` can also be manipulated.

Affects Plugins

user-private-files

Fixed in 2.0.5

References

CVE

URL

https://research.cleantalk.org/cve-2023-4836-user-private-files-idor-to-sensitive-data-and-private-files-exposure-leak-of-info-poc

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://blog.cleantalk.org

Verified

Yes

WPVDB ID

c17f2534-d791-4fe3-b45b-875777585dc6

Timeline

Publicly Published

2023-10-09 (about 2 years ago)

Added

2023-10-09 (about 2 years ago)

Last Updated

2023-10-11 (about 2 years ago)

Other

Published

Title

Published

2025-06-06

Title

BuddyPress Docs < 2.2.5 - Subscriber+ Arbitrary Document Read/Update

Published

2024-06-28

Title

Page and Post Clone < 6.1 - Insecure Direct Object Reference to Authenticated (Author+) Sensitive Information Exposure

Published

2025-02-21

Title

WP Job Portal < 2.2.9 - Insecure Direct Object Reference to Authenticated (Subscriber+) User Photo Disconnection

Published

2023-06-23

Title

JS Help Desk - Best Help Desk & Support < 2.7.8 - Subscriber+ Ticket Manipulation via IDOR

Published

2024-12-23

Title

Content No Cache: prevent specific content from being cached < 0.1.3 - Unauthenticated Private Content Disclosure