WordPress Plugin Vulnerabilities
WordPress File Sharing Plugin < 2.0.5 - Subscriber+ Sensitive Data and Files Exposure via IDOR
Description
The plugin does not check authorization before displaying files and folders, allowing users to gain access to those filed by manipulating IDs which can easily be brute forced
Proof of Concept
1. Create a private folder that contains a file that you intend keep secret.
2. Add the plugin shortcode `[upf_manager]` to a post.
3. Access a file that you have access to and intercept the request.
4. Manipulate the `doc_id` to contain the number of of a file that you want to access (this will be random), for example: `doc_5712`
5. See that the response discloses the file when the user doesn't have access to it: `{"doc_ttl":"secret-image.jpg","doc_src":"https:\/\/example.com\/wp-content\/uploads\/upf-docs\/usr1_1694106985_secret-image.jpg","doc_desc":"","file_type":"img","cmnts_html":"","author":"admin@example.com"}`
6. The file can then be directly downloaded.
Note: The `fldr_id` can also be manipulated.
Affects Plugins
Fixed in 2.0.5 References
Classification
Type
IDOR
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
Dmitrii Ignatyev
Submitter
Dmitrii Ignatyev
Submitter website
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2023-10-09 (about 7 months ago)
Added
2023-10-09 (about 7 months ago)
Last Updated
2023-10-11 (about 7 months ago)
WPScan 